A Conversation with Mei Danowski (Natto Thoughts) and Eugenio Benincasa (ETH Zürich Center for Strategic Studies)
Mei Danowski is researcher focused on strategic threat intelligence, and a co-founder Natto Thoughts. Eugenio Benincasa is a senior cyberdefense researcher with the Center for Security Studies at the ETH Zürich (his CSS profile page is here). They recently collaborated on an article for Natto Thoughts, about Chinese cyber range exercises.
Notes and Links:
The main inspiration for this discussion is the Natto Thoughts article Business Priorities of Chinese Cyber Range Providers Go Hand in Hand with State Cyber Capability Development, published on October 9 2024. Many of the links referenced during the video/podcast are Chinese-language resources that can be found via the article.
01:09 Business Priorities of Chinese Cyber Range Providers Go Hand in Hand with State Cyber Capability Development: https://nattothoughts.substack.com/p/business-priorities-of-chinese-cyber
03:45 From the following guide (pdf): https://www.nist.gov/system/files/documents/2023/09/29/The%20Cyber%20Range_A%20Guide.pdf
04:55 Locked Shields: https://ccdcoe.org/locked-shields/
05:00 CCDCOE: https://ccdcoe.org/
05:18 CBUAE / UBF joint cyber wargame: https://www.centralbank.ae/en/our-operations/risk-management/cyber-security-centre-of-excellence-1/cyber-wargames/
05:36 https://cisa.gov
05:30 CISA TTX packages: https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages
05:42 Exercise in a Box: https://www.ncsc.gov.uk/section/exercise-in-a-box/overview
06:22 There is a whole series of articles by the Natto Thoughts team on this topic, starting around October 2023. They’re all linked in the endnotes of the Natto cyber range article linked above.
07:15 https://nattothoughts.substack.com/p/flax-typhoon-linked-company-integrity
07:20 Flax Typhoon on Fraunhofer Malpedia: https://malpedia.caad.fkie.fraunhofer.de/actor/flax_typhoon
10:14 Conti ransomware: https://en.wikipedia.org/wiki/Conti_(ransomware)
10:24 China Leadership Monitor’s comparison of the Ministries of State Security (MSS) and Public Safety (MPS): https://www.prcleader.org/post/piercing-the-veil-of-secrecy-the-surveillance-role-of-china-s-mss-and-mps
11:45 DARPA National Cyber Range (archived announcement, pdf): https://obamawhitehouse.archives.gov/files/documents/cyber/DARPA%20-%20NationalCyberRange_FactSheet.pdf – Natto’s own articles cover the development of the Chinese cyber ranges pretty well. Another 2022 overview from Georgetown University can be found here: https://cset.georgetown.edu/publication/downrange-a-survey-of-chinas-cyber-ranges/
14:28 “Roar 2024 Network Security Industry Atlas”: these resources are all referenced in the Natto Thoughts cyber range article. These are (mostly) in Chinese, which we don’t speak and won’t even try to approach via machine translation, and we couldn’t find English-language versions of e.g. the Roar report. So plese take the Natto team’s word for it!
19:48 https://english.cas.cn/
23:05 Chinese-language archive link: https://perma.cc/34X6-7FRS
24:35 Interestingly, there appears to have been a move within the PLA (People’s Liberation Army) to create a more integrated information technology and security capability: https://www.iiss.org/online-analysis/online-analysis/2024/05/chinas-new-information-support-force/ – does the same apply to the “civil” government sector?
26:10 It’s surprisingly hard to find a good online resource that lists all major known Chinese APT groups, at least via a lazy quick Google search. Intel 471 has a decent collection of group names and techniques here: https://intel471.com/blog/a-look-at-trending-chinese-apt-techniques – note that Silk Typhoon = Hafnium, and other groups may also have multiple names depending on agency/vendor naming convention
In addition, here are two relevant articles from Natto Thoughts:
Front Company or Real Business in China’s Cyber Operations
i-SOON: “Significant Superpower” or Just Getting the Job Done?
You can find CyAN’s Secure-in-Mind YouTube channel at https://youtube.com/@cybersecadvisors – and of course, our videos about cyber conflict on the State of (Cyber)War playlist here. All of our episodes are also available in audio format on Apple iTunes, Amazon Audible, Podcast Republic, Spotify, and Libsyn – links on our Media page.