What Can Taiwan Learn From Ukraine’s Cyber Army?
Hack-and-leak campaigns of the kind used by Ukraine may well be harnessed by the Taiwanese government during a Chinese invasion of the island.
Roskomnadzor, Russia's main telecommunications and mass media regulator, has long been opaque to outsiders. A recent New York Times report, however, has shed light on the agency's expansion into censorship and social repression. Roskomnadzor has grown from an agency largely devoted to regulating telecommunications companies, along the lines of the U.S. Federal Communications Commission, to a critical piece of Russia’s state surveillance apparatus. The report from the Times describes Roskomnadzor’s attempts to catalog social media posts based on their political leaning, reports on prominent social media personalities, and even intimidation campaigns targeting “anti-government” individuals. The report relies almost entirely on approximately 160,000 files that were leaked by pro-Ukrainian hackers at the beginning of Russia's invasion of Ukraine. It shows how Roskomnadzor has become a major instrument of social repression in Russia, as well as the effectiveness of pro-Ukrainian hack-and-leak campaigns at the beginning of the war.
Hack-and-leak operations, in which operators steal data from vulnerable organizations and make it publicly available, have become increasingly common in the last decade. Perhaps the most famous campaign was the leak of emails and documents from the Democratic National Committee by Russian state-sponsored hackers ahead of the 2016 presidential election.
The Times report is one of the most thorough public uses of leaked data to give further insight into Russian government operations. The documents used to create it are a small portion of the terabytes of data stolen from the Russian divisions of several multinational mining, manufacturing, and oil and gas firms in the first months of the war by pro-Ukrainian hackers. The implications for Russian government organizations are now clear in the wake of the Times report, and outsiders’ knowledge of how these organizations operate will only grow in the coming years as researchers sift through the enormous amount of data leaked.
The pace of the Ukrainian hack-and-leak campaign has slowed in recent months, likely because attackers have already hit many of the most vulnerable systems and the IT Army of Ukraine, an irregular hacking force coordinated by Ukrainian government officials through Telegram and other social media, and other coordinating mechanisms have shifted towards more disruptive attacks, including distributed denial of service attacks and wiper malware. The number of leaks by Ukrainians has declined since the start of the war, but they are still occurring, as evidenced by the October 17 leak of over one million files from Technoserv, a large Russian consulting firm with deep ties to the Russian government, including employees’ personal information, designs for IT systems, contracts with partners, and internal databases.
Still, while hack-and-leak operations may have faded, they could play a key role in another major geopolitical theater—the Taiwan Strait.
Cyber Parallels Between Ukraine and Taiwan
A hack-and-leak campaign could be a potential consequence of a Chinese assault on Taiwan. Several factors that enabled the Ukrainian hack-and-leak campaign would likely be present in the case of a Chinese invasion of Taiwan. The Ukrainian campaign has relied on overwhelming public support from the West, which, among other things, allowed groups like the IT Army of Ukraine and Anonymous, an independent, loosely coordinated group of hacktivists that intervenes in opposition to what members view as oppressive government action, to organize near-constant attacks. Ukrainian government officials possessed a keen understanding of how to mobilize these volunteers from the start and have steered attackers toward valuable targets in Russia using Telegram and other means of coordination. The Ukrainians also benefited from the fact that many Russian organizations had, like many organizations in other countries, left critical systems insecure, giving attackers means of access.
These and other conditions would likely apply to any civilian campaign against China in the wake of an invasion of Taiwan. Whether or not Taiwan would be able to garner sufficient public support is an open question, and likely depends on both the timing and manner of a hypothetical Chinese invasion. Likewise, any Taiwanese attempt to turn international support into a hack-and-leak campaign would depend on both the strength of Taiwanese institutions and coordination mechanisms. The Great Firewall, a series of policies and systems designed to regulate the flow of information into and out of China via the internet, could also have an effect on any campaign. While the previous three factors are likely to shift in the short term and would be influenced by events in the immediate run-up to a conflict, the Chinese cybersecurity environment offers a relatively static area for analysis.
Assuming a public backlash to an invasion occurs and Taiwanese authorities are able to marshal it as the Ukrainians have, how would Chinese cybersecurity stack up? The likely answer: not well.
There are several indications that China’s cybersecurity industry would face difficulties responding to an unsophisticated, large-scale campaign of the kind Ukraine has spearheaded against Russia. China is a hotbed of cybercriminal activity, despite making some progress in recent years in pushing cybercriminals out of the country and reforming the country’s privacy and cybersecurity laws. Major Chinese advanced persistent threats (APTs), including APT 41 and Webworm, which conduct many Chinese cyberattacks against foreign targets, also moonlight as criminal hackers and attack businesses in China. Outside of APTs, which are the most capable and well-resourced cyber attackers, China also plays host to a large cybercrime community, whose members operate on private criminal forums and frequently trade access to Chinese companies’ networks and data stolen from those networks. These lower-level forum-based hackers are similar to the kinds of hackers who could be expected to participate in a hacktivism campaign. The current vulnerability of Chinese businesses is not likely to improve in the coming years.
Businesses are not the only areas vulnerable to cyberattacks, however. The government itself has fallen victim to several major hacks in recent years. Earlier this year, a hacker stole twenty-three terabytes of data from the Shanghai National Police and posted it for sale on a cybercrime forum. The data included names, addresses, phone numbers, birthplaces, national ID numbers, and criminal case details for over a billion people, nearly 70 percent of China’s population. While this leak was unusually extreme, Chinese government documents appear to be leaked on the same forum several times a month. While the Chinese government has made steps toward improving cybersecurity within the country, it remains to be seen whether those changes will be applied in practice. Currently, there are significant vulnerabilities in Chinese government systems, which is especially troubling given the enormous amounts of personally identifiable information the Chinese government collects on its citizens. The capabilities of cybercriminals who share this government data are likely roughly on par with the hackers who could be expected to participate in an irregular cyber campaign.
Any potential hacktivist campaign in China would follow the existing contours of cybersecurity in the country. Previous attacks against both businesses and the government provide a view into the state of cybersecurity in China, areas of potential vulnerability, and what effects different categories of attackers would have. Furthermore, the hack-and-leak campaign against Russia has demonstrated how leaked documents can offer a window into a regime’s activities. A hack-and-leak campaign would have an even greater effect in China, given the larger size of the country and the government’s collection of massive amounts of personal information. Hack-and-leak operations have been shown to cause social instability, most notably following the Russian hack-and-leak campaigns during the 2016 U.S. election, and any potential instability could force the Chinese regime to respond to social instability at the same time it tries to take Taiwan.
Kyle Fendorf is the research associate for the Digital and Cyberspace Policy program at the Council on Foreign Relations.