Overlapping Chinese APT and Private Security Contractor Activity

Published by:
Published on:
August 23, 2023

Our new report provides insight into overlapping activity conducted by Chinese state-sponsored APTs and Private Security Contractors (PSCs), in particular those which also conduct financially-motivated activity.

This overlap is particularly evident surrounding the Belt and Road Initiative (BRI) and Digital Silk Road (DSR). These projects raise the requirement for the Chinese state to leverage both kinetic and non-kinetic actors, leading to the ‘contractor/freelancer’ groups being leveraged.

This is also the case for the Chinese maritime militia, which consist of commercial fishing vessels and organisations, only economically viable due to state subsidies. The activities of a trio of Chinese state-sponsored APT groups known to conduct financially-motivated attacks have been included in the report to illustrate these geographic overlaps.

A key factor stimulating the use of the cyber and non-cyber actors analysed in the report is the BRI. Unveiled in 2023 by President Xi Jinping as the “project of the century” involving 140 countries, the BRI is the framework for international and domestic development envisioned by the CCP and private organisations in China.

A successful BRI would almost certainly consolidate China’s aims of becoming a major player in international development and commerce through the provision of key infrastructural investments. This is not only in the interest of the Chinese state for economic and geopolitical purposes, but also of private Chinese corporations, which play a major role in the global cyber space.

The broad and grand aims of the BRI have caused alarmism against Chinese expansion, but the reality of the rollout now shows signs of shifting prioritisation in line with more deglobalised policies from Beijing. Following defaults on debts linked to BRI projects and slowing economic growth, projects are becoming smaller both figuratively and literally.

Between China’s “Wolf Warrior Diplomacy” and inconsistent policies on becoming an open economy, the political prospects of the BRI have also shrunk. A key influence for this shift is also linked to debt concerns, as many countries being funded by China for the BRI projects are facing difficulties making payments.

As with the case of cyber actors, ‘physical’ actors were required to fill the growing requirement needs of the Chinese government, leading to PSCs being legalised in 2009. PSCs’ activity overlaps with state-sponsored APT activity, as both kinetic and non-kinetic elements were required for strategic and operational purposes.

One of the key requirements for physical security is due to the geographical jurisdictions BRI or strategic projects are operating within, which are often in volatile regions (84% are medium to high risk in terms of investment).

Without a strong regularity framework in place, while the PSCs are directed by the Chinese state (as required by law), the proliferation of these contractors raises several risks.

While in the long term it is unlikely that Chinese PSCs will resemble Russian PMCs, individual financial motivations raise the risk of criminal elements being embedded into BRI supply chains.

The proliferation of China utilising financially-motivated actors for both cyber and non-cyber activity for strategic purposes obfuscates the extent of government control in these entities.

While Chinese PSCs differ from the Wagner Group’s ‘little green men’, China’s ‘little blue men’ present more comparable similarities in terms of proxy power projection. The vessels being utilised are trained and funded by the PLA, consolidating financial interests of fishing activities in disputed waters and expands Chinese maritime power projection in the South China Sea.

This expansion is at the detriment of neighbouring nations, and again incorporates the financial motivation of contractors/freelancers and organisations into the strategic interests of the Chinese state.

Based on the research conducted by SecAlliance, it is evident that there are multifaceted overlaps between financially-motivated cyber and non-cyber entities and Chinese state aligned/BRI projects. While the scope of the research and subsequent analysis focused on overlapping activity of three key categories – APT groups, PSCs, and maritime militia - it is highly likely that these characteristics of contractor/freelancer models are being incorporated into other operational structures.

These activities raise the threat for supply chains and organisations beyond state interest due to the inclusion of financially-motivated actors, specifically Chinese APT groups, with access to state-level tooling. The Chinese APT and PSC overlaps related to BRI and strategic activities are global. The more assertive and aggressive actions China takes in foreign policy, the more likely that the trio (including maritime militia) of financially-motivated actors will be leveraged.

The full report is exclusively available on ThreatMatch for our ThreatMatch subscribers.