Google Threat Intelligence explains China’s evolving cyber tactics

China's cyber capabilities have reached a new level of sophistication, and the world should take notice.

Speaking to TechDay at Google Cloud Next, Sandra Joyce, Vice President of Google Threat Intelligence, outlined a stark transformation in China's digital threat landscape. "China has arrived as a cyber superpower," she said. "We're seeing them active throughout the world, primarily in espionage."

The opening keynote at the event hinted at a future where people engage more seamlessly with data and insights. But Joyce was quick to highlight the dark side of technological advancement. "With all exciting times, threat actors are going to try to take advantage."

She began her overview with China's evolving cyber strategies. While once reliant on recognisable infrastructure and traditional methods, Chinese actors now rotate infrastructure every 30 days, deploy zero-day vulnerabilities, and use commodity malware. These shifts make their activities significantly harder to detect.

"They're doing things like living off the land," she explained, referring to the use of standard system tools that mask malicious actions. "They're not using tailored or signature malware anymore."

Unlike other nation-state actors such as Russia, North Korea or Iran, Joyce noted that China has not demonstrated destructive cyber capabilities. "We have only seen espionage," she said. "With the exception of Volt Typhoon, which has embedded itself in critical infrastructure - there is only one reason to be in those systems, and that is to change the way they operate."

From China, Joyce pivoted to the increasingly bold actions of North Korean IT workers. Initially hired for legitimate work by major companies, their roles have since shifted. "At first it was just workers getting paid," she said. "But then it changed. Their infrastructure overlapped with North Korean intelligence agencies." By early 2024, some of these operatives had moved into extortion operations.

Joyce was unequivocal about the global nature of this threat: "It's not just a US problem anymore. We're seeing it in Europe and in Asia."

She also reported a steady rise in ransomware incidents, based on multiple metrics. "We count the number of incidents we respond to and monitor data leak sites," she explained. "The number of victims is rising across the globe."

While there was a dip in ransomware activity in 2023, possibly linked to COVID-19 disruptions, Joyce confirmed it had rebounded. "By almost every measure, we're seeing more intrusions related to ransomware."

When asked how companies are defending themselves, Joyce stressed the importance of identity protection. Most initial intrusions stem from stolen credentials obtained through info-stealing malware. "Companies are now ensuring that more than just a username and password is needed," she said. Multi-factor authentication and improved access management are key steps.

Discussing her team's role within Google Cloud, Joyce offered insight into their integrated threat intelligence model. Google's acquisition of Mandiant, the threat intelligence firm she previously led, brought broader visibility to Google's cyber defence. "We put these two groups together and called it Google Threat Intelligence Group," she explained.

The merged team now identifies threats across Gmail, Android and Google Cloud, feeding insights back into Google's products and also to its customers. "We feed the intelligence into cloud security products, as well as to Google's own security," she said.

On potential future threats, Joyce acknowledged growing concerns around AI. She confirmed that, to date, Google's incident response teams have not seen AI play a significant role in real-world intrusions. But that could change. "We have to assume that threat actors are going to be using AI to carry out their schemes," she said.

Google has observed known threat actors attempting to use its AI model, Gemini, for malicious purposes. "They tried to defeat the guard rails and failed," Joyce said. "They were able to get the productivity gains that all of us get when we use these chat bots, but they couldn't do anything additive to their current capability."

Still, she acknowledged that as AI becomes more accessible, the barrier to entry for cyber criminals could lower. Many open models lack security guardrails, creating new opportunities for exploitation. "We're cognisant of that and know we need to be watching."

Asked whether the rise of non-developers using code - so-called "vibe coders" - poses a threat, Joyce said it's not a major concern now, but could become one. She likened it to the phenomenon of shadow IT, where unauthorised systems proliferate inside organisations. "It was interesting to go to an organisation for an incident response and have more devices pinging back than they had ever imagined."

On whether open-source or closed-source software is riskier, Joyce was cautious. "There are strengths and weaknesses to both," she said. "I would love to answer that in a data-driven way and not give you my guesses."

Joyce also highlighted the collaborative nature of the cybersecurity community, especially when it comes to major threats. While Google publishes much of its threat intelligence through blogs, informal sharing also plays a role. "There are times where something is important enough that we pick up the phone and make sure that we're seeing what our colleagues are seeing."

Recalling a specific example, Joyce said, "After the Soleimani killing, we saw password spraying across Europe targeting critical infrastructure. We called our friends at CrowdStrike immediately."

As the conversation drew to a close, she was asked what threat concerns her most in today's climate.

"The most difficult thing for us is to track the rise in Chinese cyber threat capability," she said. "It's getting more and more difficult to detect the creative and thorough work that they're doing."