Che Chang
Senior Cyber Threat Analyst@TeamT5
Actions
Che Chang is a Senior Cyber Threat Analyst at TeamT5 CTI team. His research interests include the Chinese underground market and influence operations.
He is the author of "TeamT5 Information Operation White Paper Series."
Che is the invited speaker of many global and regional conferences, including Black Hat Asia, HITCON Pacific, Code Blue, SANS CTI Summit, 2020 vGCTF Workshop and Cybersec in Taiwan.
Links
Winning from Within: Chinese InfoOp Targeting Overseas Diaspora
With the turbulent political climate between China and the US, social media remains the primary battlefield for Chinese threat actors to influence public opinion. Evidence suggests that China combined different resources, including Chinese botnet, marketing firms, and overseas branches, in the influence operations (IO, or information operation). Notably, the IO content was tailored for the overseas Chinese. We assessed that China leverages its diaspora to further ferment the favorable narratives to win the public within the other countries.
In the first part of the presentation, we will dissect the recent evolution of the Chinese botnet. As generic AI becomes a heated concern at the end of 2022, Chinese botnets also adopted AI technologies in the campaigns to create related content. In "Operation WhitePaper," the Chinese botnet shared videos with VTubers' avatars criticizing the White Paper Revolution – a 2022 protest on Chinese strict covid policy.
In the second part of the presentation, we will introduce three notable campaigns to demonstrate the closer collaboration among the Chinese botnet, marketing firms, and overseas branches. First, we will detail how China's national police forces leverage the same botnet to operate disinformation campaigns in the US under the "912 Project". Then, we will share our exclusive investigation based on the UK-based PR company. Lastly, we will elaborate on a recent case in Taiwan, showing how the threat actors can potentially use local PR firms to conduct IO campaigns with more related content.
The Chinese IO campaigns aligned with its political agenda and often surged with important geopolitical events. In the last part of the talk, we will provide our assessment and the possible threat landscape for the rest of the year. Among all, as Taiwan will host the next presidential election in January 2024, we will provide our predictions on the potential IO campaigns ahead with policy recommendations to mitigate the potential impacts.
Money Making or Camouflaging? Dissecting APT41's Ransomware Activities
It is not an exaggeration to say APT41 is among the most prolific and sophisticated Chinese state-sponsored groups. The US 2020 indictment did not hinder or even slow down APT41 from launching new attacks, as we observe its target scope and arsenal continue to expand. APT41 is also one-of-a-kind, since it has been known to conduct financially motivated cybercrime, which are not common practices among Chinese APT groups. What’s noteworthy is that our research suggests that APT41 has been actively engaged in ransomware attacks as early as 2019.
In this presentation, we will share our latest findings on APT41’s engagement in ransomware attacks. Over the past three years, we have found traces of APT41's ransomware campaign against at least 10 industries across 11 countries in Asia, Europe, and America.
We will also try to answer the question: Why did APT41 start deploying ransomware in their operations? Is it for camouflaging or money making? By comparing APT41's espionage and ransomware campaigns, we found that there were some differences in terms of malware usage and the level of sophistication, despite C2 and tactics overlaps. Notably, technical indicators suggest that APT41 might be connected to the Hades ransomware gang. Given that APT41 is a group of private contractors operating on behalf of the Chinese authorities, we assess that APT41 might be operating with multiple teams with different goals, therefore, the different aims of ransomware usage.
Their latest activities once again prove that the group still poses a significant risk to organizations worldwide. We believe threat intelligence and attribution process can help the defense side to make better strategy before APT41 strikes again.
CODE BLUE 2023 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top