Crowdstrike counter adversary chief on cyber threats from China, North Korea

Key Concepts

• Civil-Military Fusion: A Chinese state strategy that integrates civilian and military sectors to enhance national power and offensive cyber capabilities.
• Identity-Based Attacks: A shift in cybercrime tactics where adversaries prioritize stealing credentials or phishing over traditional network breaches.
• Network Appliance Vulnerabilities: Exploiting internet-facing hardware (routers, VPNs, etc.) using known, unpatched vulnerabilities to gain long-term access.
• Digital Asset Theft: The use of cryptocurrency and blockchain exploitation by state actors to bypass international sanctions.
• Remote IT Worker Schemes: A method used by North Korean operatives to infiltrate foreign companies and generate illicit revenue for the regime.

---

1. The Cyber Threat Landscape: China

Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, identifies China as a persistent top-tier threat actor.

• Strategic Objectives: China’s offensive cyber operations are deeply tied to its political ambition to become the global leader. These operations serve dual purposes: espionage and potential disruptive attacks during times of geopolitical conflict.
• Civil-Military Fusion: This framework allows the Chinese state to leverage civilian technological advancements for military and intelligence purposes, maximizing the impact of their cyber operations.
• Real-World Application: Meyers cited a historical case where Chinese actors compromised a North American telecom provider. By exploiting a two-year-old vulnerability in a network appliance, they were able to reshape traffic and monitor the communications of then-President-elect Trump. This highlights that attackers often do not need "zero-day" (unknown) vulnerabilities to succeed; they rely on poor maintenance of existing infrastructure.

2. North Korea’s Cyber-Crime Economy

North Korea has evolved into a dominant force in cybercrime, primarily driven by the need to circumvent international sanctions and fund its weapons program.

• Evolution of Tactics: Following the 2016 attempted theft of over $1 billion from the Bangladeshi National Bank via the SWIFT international financial system, North Korea pivoted toward more diverse digital revenue streams.
• Revenue Generation:
  • Cryptocurrency Theft: North Korean operatives have become highly adept at targeting blockchain technology. Last year alone, they were linked to $1.46 billion in cryptocurrency theft.
  • Remote IT Infiltration: North Korean operatives are increasingly securing remote IT jobs at American businesses. By holding dozens of these positions simultaneously, they generate significant income that is funneled directly back to the regime.
• Impact: The report notes that North Korean operatives were tied to more than $2 billion in digital asset theft in the last year, providing critical funding for the country's weapons development.

3. Defensive Strategies for the Financial Sector

The financial sector is currently the fourth most targeted industry globally. To defend against increasingly sophisticated threats—including those incorporating Artificial Intelligence—Meyers recommends a two-pronged approach:

• Prioritizing Identity Security: Because modern adversaries have moved away from "breaking in" to "logging in" (using stolen credentials or phishing), organizations must implement robust identity verification. This involves monitoring who is logging in, from where, and identifying anomalous behavior in real-time.
• Rigorous Patch Management: Organizations often overlook network devices (appliances that connect the enterprise to the internet). Meyers emphasizes that patching these devices is critical, as attackers frequently exploit known, older vulnerabilities to gain long-term, persistent access to corporate networks.

Synthesis and Conclusion

The cyber threat landscape is characterized by state-sponsored actors who are increasingly sophisticated and financially motivated. China utilizes cyber operations as a tool for long-term geopolitical dominance and espionage, while North Korea utilizes cybercrime as a survival mechanism to fund its military ambitions. For the private sector, particularly financial institutions, the primary defense lies in moving away from perimeter-based security toward a model that prioritizes identity verification and the diligent maintenance of network infrastructure. The shift toward AI-enhanced playbooks by these adversaries makes the adoption of these defensive measures an urgent necessity.