Agriculture in the crosshairs of nation-state sponsored hackers (3/5)

China
The Democratic Republic of China is well underway of becoming the global hegemon, challenging the United States who currently hold this position. To succeed in its catch-up, China has active policy in place to acquire foreign technology and know-how. The policy consists of a multifaced plan that is meant to perform an upgrade to China’s economy and overall power. Modernizing the agricultural industry is a vital part of the plan. Feeding 1.4 billion people is not an easy task, given the fact China has only a relatively low percentage of land fit for agriculture and is facing increasing desertification and deforestation, further reducing their amount of agriculture land. Western technology and knowledge would surely increase the resilience of the Chinese food system and the efficiency of their farming practices.

China has many partnerships, regulatory strategies and corporate practices in place to overcome the innovation gap between them and the global West. Although a lot of information is exchanged, Western states and companies are not quite eager to share their most valued secrets, as one can imagine. In order to acquire precisely these kinds of secrets, the Chinese government has a known record of deploying their vast cyber apparatus. The Chinese APTs carry out numerous attacks all around the globe. In the agricultural industry, espionage and information theft have been singled out as their main motives. This illustrates clearly that APTs are being used to support China’s modernization efforts and play an important role in achieving its strategic goals (see also figure 1).

Figure 1 - China's multipronged approach to its innovation driven economic growth model.

An example of a Chinese APT active in agricultural and industrial sectors is APT 41, also known as WICKED PANDA. This hacker group, which has also been observed in the Netherlands¹, became known to the public after they hacked Bayer, the largest agricultural supply company in the world. Bayer claims that they have found no evidence of information theft, fortunately².

Hunt & Hackett outsmarts hostile APTs by tracking and anticipating their preferred attacking methods (TTPs) and the Tools they use. Hunt & Hackett is aware of 33 APT-groups, which have been attributed to China, which are targeting agriculture or related industries now and in the past. Do note that some of them aren't active anymore, or at least have not been noticed by other security vendors in the past couple of years. Of these 33 APT-groups, 489 TTPs and 490 Tools leveraged by Chinese APTs are known to Hunt & Hackett.

Table 1 - Key statistics on APTs originating from China, and the TTPs and Tools they use in the agricultural and related industries as observed by Hunt & Hackett.

Russia
In the aftermath of the downfall of the USSR, Russia fell into chaos transforming from a state led market to an open and free economy. The first ten years, there was hardly any progress if not a set-back. Under President Putin, order was restored, and efforts to modernize the former leading Soviet nation could begin. For the agricultural sector, this was and still is a difficult task, given the fact that heavy industry had been prioritized over agriculture for the greater part of the 20th century.

That Russia is moving up the agricultural industry on their agenda is illustrated by several Food Security strategies being released in the last ten years. In the strategy documents, it is underlined that Russia needs to move towards self-sufficiency and away from dependency of other nations. It is also discussed how Russia’s food industry should cope with the threat of enduring international sanctions by stimulating the domestic (bio)technology- and scientific sector³.

Russia has never shied away from using illicit methods for the nation’s economic benefit. Not in the past, not in the present and not in the future. Making use of their highly skilled and sophisticated APTs in support of modernization efforts has been a key part of Russia’s strategic planning. Shopping abroad what you lack domestically seems to be the motto of Russia’s modernization strategy. This was also the conclusion of the Dutch general intelligence service, the AIVD, as they wrote in their 2020 yearly report⁴. In terms of activity, Russia is not the most dangerous adversary. In terms of quality, however, there are few countries that can trump Russian offensive cyber skills.

A very recent example of Russian cyber-aggression was a Russian APT  exploiting a vulnerability in popular and widely used software by the American company SolarWinds.

The state-backed hackers hid a backdoor in an update package, so when users would update their software the Russian gained access. By doing so, Russian state-backed hackers could access the systems of around 18.000 SolarWinds clients (see also figure 2).

Figure 2 - How the Solarwinds hack took place.

A total of 18 Russian APT-groups (now and in the past) that have been active in agriculture or related industries are known to Hunt & Hackett. To counter and to be prepared for their cyber-attacks in the future, Hunt & Hackett tracks the TTPs and Tools they have employed in the past. At this moment, Hunt & Hackett has encountered 423 TTPs and 339 Tools used by Russian APTs in the relevant industries.

1. https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=APT%2041&n=1
2. https://www.cyberscoop.com/bayer-breached-china-wicked-panda/ 
3. https://apps.fas.usda.gov/newgainapi/api/Report/DownloadReportByFileName?fileName=New%20Food%20Security%20Doctrine%20Adopted_Moscow_Russian%20Federation_02-03-2020;
4. https://www.aivd.nl/binaries/aivd_nl/documenten/jaarverslagen/2021/04/29/aivd-jaarverslag-2020/AIVD-jaarverslag+2020.pdf