>Our CTI analysts comment on Pangu Lab’s report regarding a 2013 exploit to Bloomberg. This is an expert of Bloomberg's article. Read more at [Bloomberg](https://www.bloomberg.com/news/articles/2022-02-24/chinese-report-on-suspected-nsa-hack-shows-beijing-pushing-back)

For years, Washington has accused Beijing of instigating cyberattacks against the US. and its allies. Now, a Chinese cybersecurity firm says it has identified hacking within China by a group linked to the National Security Agency, hinting at a rethink of how Beijing handles its geopolitical rival. 

Chinese officials and companies like Huawei Technologies Co. have often responded to U.S. accusations in the past by declaring America the worst cyber-offender of all, pointing in particular to Edward Snowden’s revelations about U.S. espionage.

But this week, Pangu Lab said it discovered U.S.-sponsored hacking activity on Chinese soil. It said it found malware in domestic IT systems it claims was created by hacking group Equation, which is “generally believed” to be linked to the U.S. National Security Agency. In a report issued Feb. 23 and covered by the Communist Party-backed Global Times, Pangu Lab said the malware, called Bvp47, had been discovered within “a key Chinese department” in 2013 and 2015. Pangu Lab claimed the malware infiltrated systems to monitor and track key institutions in 45 countries around the world, including U.S. allies, in a campaign that lasted 10 years.

……

Taiwanese cybersecurity firm TeamT5 said that while Pangu Lab’s report was “one of the most detailed and in-depth forensic investigations published by Chinese cybersecurity firms,” it was curious that they chose a decade-old case to dissect.

“In the future, we think there will be more and more similar attribution reports by Chinese cybersecurity firms being leveraged by the Chinese state media to conduct propaganda campaigns,” analysts at TeamT5 wrote.
 
 
*Image courtesy of [Pixabay](https://pixabay.com/)

【Bloomberg】Chinese Report on Suspected NSA Hack Shows Beijing Pushing Back

>TeamT5 資安威脅情資分析師團隊接受彭博社(Bloomberg)訪問，針對中國盤古實驗室(Pangu Lab)揭露他們在2013年所發現的後門程式Bvp 47之報告，進行評論與分析。本文為摘錄，完整文章請見 [Bloomberg](https://www.bloomberg.com/news/articles/2022-02-24/chinese-report-on-suspected-nsa-hack-shows-beijing-pushing-back)

For years, Washington has accused Beijing of instigating cyberattacks against the US. and its allies. Now, a Chinese cybersecurity firm says it has identified hacking within China by a group linked to the National Security Agency, hinting at a rethink of how Beijing handles its geopolitical rival. 

Chinese officials and companies like Huawei Technologies Co. have often responded to U.S. accusations in the past by declaring America the worst cyber-offender of all, pointing in particular to Edward Snowden’s revelations about U.S. espionage.

But this week, Pangu Lab said it discovered U.S.-sponsored hacking activity on Chinese soil. It said it found malware in domestic IT systems it claims was created by hacking group Equation, which is “generally believed” to be linked to the U.S. National Security Agency. In a report issued Feb. 23 and covered by the Communist Party-backed Global Times, Pangu Lab said the malware, called Bvp47, had been discovered within “a key Chinese department” in 2013 and 2015. Pangu Lab claimed the malware infiltrated systems to monitor and track key institutions in 45 countries around the world, including U.S. allies, in a campaign that lasted 10 years.

……

Taiwanese cybersecurity firm TeamT5 said that while Pangu Lab’s report was “one of the most detailed and in-depth forensic investigations published by Chinese cybersecurity firms,” it was curious that they chose a decade-old case to dissect.

“In the future, we think there will be more and more similar attribution reports by Chinese cybersecurity firms being leveraged by the Chinese state media to conduct propaganda campaigns,” analysts at TeamT5 wrote.

 
 
*首圖來源: [Pixabay](https://pixabay.com/)

【Bloomberg 採訪報導】Chinese Report on Suspected NSA Hack Shows Beijing Pushing Back

> We are honored to be interviewed by  [Cybernews](https://cybernews.com/), a research-based online publication that helps people navigate a safe path through their increasingly complex digital lives. In the interview, we share how TeamT5 originated with our cyber threat intelligence researches and how we do to help clients fight against ransomware. The whole interview report is below or can be viewed at [Cybernews](https://cybernews.com/security/sung-ting-tsai-teamt5-companies-shouldnt-claim-themselves-as-100-secured-or-unhackable/)。

**A ransomware attack may be a once-in-a-lifetime event for some, while for others, it is more so of an evergoing battle of wits, technology, and speed, which requires constant diligence and preparations.**

While more and more companies invest in proper cybersecurity measures, both by investing in professional infrastructures and [relying on commercial privacy and data protection management tools](https://cybernews.com/best-password-managers/), not many are involved in actively hunting threats that may as well have already penetrated their defenses.

To discuss such issues, Cybernews sat down with Sung-ting Tsai, the Chief Executive Officer of [TeamT5](https://teamt5.org/en/) – a cybersecurity intelligence firm. We talked about the dos and don’ts in the event of a ransomware attack and what cybersecurity measures are most important to take.

### Tell us about your story. How did TeamT5 originate?

Previously, I worked in a big cybersecurity company and led a research team. I found that clients often got hacked even though we made great solutions. I think the key is we didn’t have insights on attackers’ TTP (tactics, techniques, and procedures) so our defense couldn’t protect clients from those attackers.

Therefore, I became interested in cyber threat intelligence (CTI) research and decided to build TeamT5 to do CTI research. Back then, our team already discovered that the latest and advanced cyberattacks happened in Taiwan first. It gives us advantages to publish in-depth analysis and research.

Our niche is that we have focused on cyberattacks and cyber espionage for a long time. As not many people focus on this area, our research results are even more valuable and help many people and organizations around the world, especially in the US, Japan, and Korea.

Then, we made our reports of cyber threat intelligence into a solution – ThreatVision, a portal to see through the chaos. In 2017, we developed ThreatSonar which is an engine to hunt down intruders. It helps clients to defend against cyberattacks. When others can’t catch malicious cyberattacks – we can.

Since we established, we consider cyber threat intelligence research as the most important task. We have published more than 30 research papers in international cybersecurity seminars and conferences, including Black Hat Asia, SANS Institute – CTI Summit, Virus Bulletin (VT), and CodeBlue. Our findings are recognized by many clients, including one of the top five international banks, top telecom and business groups in Japan, and governmental critical infrastructures in Taiwan.

### Can you tell us a little bit about what you do? What challenges do you help navigate?

Our mission is to become the best partner to defend against advanced persistent threats (APTs).

Clients are facing two challenges:

1. While attackers know a lot about clients, our clients know a little about what they’re facing.
2. Clients don’t have sufficient technology to defend against attackers.

To help a client beat ransomware and cyber espionage, we provide three types of solutions:

1. **Threat Intelligence** – let clients know the enemies well and plan defense strategies.
2. **Defense Technology **– let clients be equipped with good tools in order to hunt down the enemies.
3. **Professional Service** – we work with clients to help them deal with various cyber threats.

### You often emphasize the importance of proactive threat hunting. Can you briefly describe this practice?

Traditionally, the idea of cybersecurity protection is to do multi-layered defense. However, the current problem is that enterprises don’t know whether attackers are already on the intranet.

So, we suggest that “proactive threat hunting” is a better idea for cyber protection nowadays. It means enterprises use our tool ThreatSonar Anti-Ransomware to do active and aggressive scans on logs from SIEM (security information and event management). Enterprises can even apply new screening rules on previous logs to discover previous malicious activities.

### How do you think the recent global events influenced the ways in which threat actors operate?

Looking into cyber attackers' behaviors, you can see that cyberattacks are effective and their impacts are bigger than ever. These impacts can be categorized into two types – one is leaking important information, while the other is data sabotage and ransom.

We observe that more operations with more power are conducted by many countries. Countries are also focusing on information operations (InfoOps). They invest more resources in public opinion operations, social media operations, and media operations. Their goal is to achieve impacts with certain purposes.

Recently, Ukraine conducts such operations really well. It indicates that if there are wars or disputes between counties in the future, such InfoOps will be common scenes.

### In the age of frequent cyberattacks, do you think small businesses and big enterprises require the same security measures?

In fact, it’s unlikely that small businesses apply the same cybersecurity measures as big enterprises. Our suggestion is for small businesses to use the same cybersecurity framework and ideas as big enterprises do. And small businesses shall prioritize each task and start with the most important parts.

We found that the most challenges that small businesses are not willing to invest in are cybersecurity measures. However, it’s important to do that in order to make business operations go smoothly.

### Since ransomware is one of your main fields of focus, could you give us a few tips on what should and shouldn't be done in the event of such an attack?

I advise companies to do defense in four steps:

1. **Threat awareness** – catch up on the latest cyber intelligence to understand the potential threats.

2. **Before attack** – deploy tools and measures to be prepared, e.g. backup your data and deploy anti-ransomware solutions.

3. **During attack** – have tools to see attacks that are happening (which means to make attacks visible); if there are attacks happening, enterprises shall have response measures.

4. **After attack** – companies shall have a standard operation procedure (SOP) on how to recover files and services. If companies prepare well, they may return to normal operations within a day; otherwise, they may still be shut down for a week, or even have to pay a ransom. Companies shall prepare for a negotiation. Some professional teams can help with that and lower the ransom amount.

Other things one should and shouldn't do:

1. Should – backup your files and patch up security

2. Shouldn't – threaten attackers

### In your opinion, what are the worst cybersecurity habits that make companies attractive targets for ransomware hackers?

Do not provoke actors! They are more capable than you think. Companies shouldn’t claim themselves as 100% secured or unhackable as tall trees catch much wind. For ransomware prevention, the most important thing is to do backups and put them offline.

### What new threats do you think the public should be ready to take on in the next few years? What security tools should be implemented by every internet user?

Firstly, there will be more ransomware attacks. The reason is that attackers are protected and hidden behind various technologies, such as the dark web (run on Tor), cryptocurrencies, and secured instant messengers. And victims are willing to pay to get files back. It makes ransomware attacks a profitable business.

The second threat is that countries will invest more in cyberattacks, including developing cyber weapons, increasing the power of cyberattacks, and recruiting more talents.

We suggest enterprises and government units invest more in cybersecurity in order to defend against the threats mentioned above. We think the key is cyber threat intelligence rather than tools. When enterprises and government units know more about attackers, they can defend better. As the old saying goes – know the enemy and know yourself in a hundred battles, and you will never be in peril.

### Share with us, what’s next for TeamT5?
We hope to increase our influence through cyber threat intelligence research. We believe our experience, research, and technology shared with more people can help them deal with APT threats.

【Cybernews】Sung-ting Tsai, TeamT5: “companies shouldn’t claim themselves as 100% secured or unhackable”

> 我們很高興受到  [Cybernews](https://cybernews.com/) 專訪，該線上媒體以資安研究為核心，協助人們在日益複雜的數位生活中，走出一條安全的道路。在本次專訪中，執行長蔡松廷(Sung-ting Tsai)分享公司成立的緣起，乃是基於威脅情資研究；並分享我們如何協助客戶防禦勒索軟體入侵。完整訪問內容可參考下方轉載，或至 CyberNews 官網閱讀 ([全文連結](https://cybernews.com/security/sung-ting-tsai-teamt5-companies-shouldnt-claim-themselves-as-100-secured-or-unhackable/)).

**A ransomware attack may be a once-in-a-lifetime event for some, while for others, it is more so of an evergoing battle of wits, technology, and speed, which requires constant diligence and preparations.**

While more and more companies invest in proper cybersecurity measures, both by investing in professional infrastructures and [relying on commercial privacy and data protection management tools](https://cybernews.com/best-password-managers/), not many are involved in actively hunting threats that may as well have already penetrated their defenses.

To discuss such issues, Cybernews sat down with Sung-ting Tsai, the Chief Executive Officer of [TeamT5](https://teamt5.org/en/) – a cybersecurity intelligence firm. We talked about the dos and don’ts in the event of a ransomware attack and what cybersecurity measures are most important to take.

### Tell us about your story. How did TeamT5 originate?

Previously, I worked in a big cybersecurity company and led a research team. I found that clients often got hacked even though we made great solutions. I think the key is we didn’t have insights on attackers’ TTP (tactics, techniques, and procedures) so our defense couldn’t protect clients from those attackers.

Therefore, I became interested in cyber threat intelligence (CTI) research and decided to build TeamT5 to do CTI research. Back then, our team already discovered that the latest and advanced cyberattacks happened in Taiwan first. It gives us advantages to publish in-depth analysis and research.

Our niche is that we have focused on cyberattacks and cyber espionage for a long time. As not many people focus on this area, our research results are even more valuable and help many people and organizations around the world, especially in the US, Japan, and Korea.

Then, we made our reports of cyber threat intelligence into a solution – ThreatVision, a portal to see through the chaos. In 2017, we developed ThreatSonar which is an engine to hunt down intruders. It helps clients to defend against cyberattacks. When others can’t catch malicious cyberattacks – we can.

Since we established, we consider cyber threat intelligence research as the most important task. We have published more than 30 research papers in international cybersecurity seminars and conferences, including Black Hat Asia, SANS Institute – CTI Summit, Virus Bulletin (VT), and CodeBlue. Our findings are recognized by many clients, including one of the top five international banks, top telecom and business groups in Japan, and governmental critical infrastructures in Taiwan.

### Can you tell us a little bit about what you do? What challenges do you help navigate?

Our mission is to become the best partner to defend against advanced persistent threats (APTs).

Clients are facing two challenges:

1. While attackers know a lot about clients, our clients know a little about what they’re facing.
2. Clients don’t have sufficient technology to defend against attackers.

To help a client beat ransomware and cyber espionage, we provide three types of solutions:

1. **Threat Intelligence** – let clients know the enemies well and plan defense strategies.
2. **Defense Technology **– let clients be equipped with good tools in order to hunt down the enemies.
3. **Professional Service** – we work with clients to help them deal with various cyber threats.

### You often emphasize the importance of proactive threat hunting. Can you briefly describe this practice?

Traditionally, the idea of cybersecurity protection is to do multi-layered defense. However, the current problem is that enterprises don’t know whether attackers are already on the intranet.

So, we suggest that “proactive threat hunting” is a better idea for cyber protection nowadays. It means enterprises use our tool ThreatSonar Anti-Ransomware to do active and aggressive scans on logs from SIEM (security information and event management). Enterprises can even apply new screening rules on previous logs to discover previous malicious activities.

### How do you think the recent global events influenced the ways in which threat actors operate?

Looking into cyber attackers' behaviors, you can see that cyberattacks are effective and their impacts are bigger than ever. These impacts can be categorized into two types – one is leaking important information, while the other is data sabotage and ransom.

We observe that more operations with more power are conducted by many countries. Countries are also focusing on information operations (InfoOps). They invest more resources in public opinion operations, social media operations, and media operations. Their goal is to achieve impacts with certain purposes.

Recently, Ukraine conducts such operations really well. It indicates that if there are wars or disputes between counties in the future, such InfoOps will be common scenes.

### In the age of frequent cyberattacks, do you think small businesses and big enterprises require the same security measures?

In fact, it’s unlikely that small businesses apply the same cybersecurity measures as big enterprises. Our suggestion is for small businesses to use the same cybersecurity framework and ideas as big enterprises do. And small businesses shall prioritize each task and start with the most important parts.

We found that the most challenges that small businesses are not willing to invest in are cybersecurity measures. However, it’s important to do that in order to make business operations go smoothly.

### Since ransomware is one of your main fields of focus, could you give us a few tips on what should and shouldn't be done in the event of such an attack?

I advise companies to do defense in four steps:

1. **Threat awareness** – catch up on the latest cyber intelligence to understand the potential threats.

2. **Before attack** – deploy tools and measures to be prepared, e.g. backup your data and deploy anti-ransomware solutions.

3. **During attack** – have tools to see attacks that are happening (which means to make attacks visible); if there are attacks happening, enterprises shall have response measures.

4. **After attack** – companies shall have a standard operation procedure (SOP) on how to recover files and services. If companies prepare well, they may return to normal operations within a day; otherwise, they may still be shut down for a week, or even have to pay a ransom. Companies shall prepare for a negotiation. Some professional teams can help with that and lower the ransom amount.

Other things one should and shouldn't do:

1. Should – backup your files and patch up security

2. Shouldn't – threaten attackers

### In your opinion, what are the worst cybersecurity habits that make companies attractive targets for ransomware hackers?

Do not provoke actors! They are more capable than you think. Companies shouldn’t claim themselves as 100% secured or unhackable as tall trees catch much wind. For ransomware prevention, the most important thing is to do backups and put them offline.

### What new threats do you think the public should be ready to take on in the next few years? What security tools should be implemented by every internet user?

Firstly, there will be more ransomware attacks. The reason is that attackers are protected and hidden behind various technologies, such as the dark web (run on Tor), cryptocurrencies, and secured instant messengers. And victims are willing to pay to get files back. It makes ransomware attacks a profitable business.

The second threat is that countries will invest more in cyberattacks, including developing cyber weapons, increasing the power of cyberattacks, and recruiting more talents.

We suggest enterprises and government units invest more in cybersecurity in order to defend against the threats mentioned above. We think the key is cyber threat intelligence rather than tools. When enterprises and government units know more about attackers, they can defend better. As the old saying goes – know the enemy and know yourself in a hundred battles, and you will never be in peril.

### Share with us, what’s next for TeamT5?
We hope to increase our influence through cyber threat intelligence research. We believe our experience, research, and technology shared with more people can help them deal with APT threats.

【Cybernews 專訪】TeamT5 執行長蔡松廷表示企業不宜宣稱自身100%不會被駭入

News

>Our cyber threat analyst Che Chang gives observations on China’s sudden warnings about US hackers. This is an expert of WIRED's article. Read more at [WIRED](https://www.wired.co.uk/article/china-us-hacking-accusations).

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers [have stolen](https://www.wired.com/2013/02/chinese-army-linked-to-hacks/) terabytes of data from pharmaceutical companies to [video game firms](https://www.wired.com/story/chinese-hackers-charged-decade-long-crime-spying-spree/), [compromised servers](https://www.wired.com/story/fbi-takes-drastic-step-to-fight-china-hacking-spree/), [stripped security protections](https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/), and [highjacked hacking tools](https://www.wired.com/story/china-nsa-hacking-tool-epme-hijack/), according to security experts. And as [China’s alleged hacking has grown in aggression](https://www.wired.com/story/china-hacking-reckless-new-phase/), individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, there has been a marked uptick in China’s Foreign Ministry and the country’s cybersecurity firms calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at Taiwan-based cybersecurity firm TeamT5.

 
 
*Image courtesy of Pexels

【WIRED】The Mystery of China’s Sudden Warnings About US Hackers

>TeamT5 資安威脅情資分析師 Che Chang 接受 WIRED 訪問，針對中國警告美國駭客行動的消息，進行評論與分析。本文為摘錄，完整文章請見 [WIRED](https://www.wired.co.uk/article/china-us-hacking-accusations)。

近十年來，美國方常點名那些被視為替中國工作的駭客，這些駭客從製藥公司竊取了大量數據，或破壞企業的伺服器等，個別駭客並面臨起訴。

然而 WIRED 記者觀察到，自2022年初，中國外交部和該國資安公司指稱與美國有關聯的網路間諜活動明顯增加，然而這類指稱是基於已有多年歷史的資料，細節也已廣為人知。

WIRED 記者訪問多位專家，TeamT5 資安威脅情資分析師 Che Chang 提出推測，即中方提出這些指控的動機，是因中國面臨美國的網路間諜指控和起訴時，做為以牙還牙的材料。

完整文章請見 [WIRED](https://www.wired.co.uk/article/china-us-hacking-accusations)。

 
 
*首圖來源: Pexels

【Bloomberg 採訪報導】Chinese Report on Suspected NSA Hack Shows Beijing Pushing Back

Related Post

【Cybernews 專訪】TeamT5 執行長蔡松廷表示企業不宜宣稱自身100%不會被駭入

【Bloomberg 採訪報導】Chinese Report on Suspected NSA Hack Shows Beijing Pushing Back

【WIRED 採訪報導】關於中國突發針對美國駭客警告之謎團與分析