China’s State-Sponsored Hackers Set Up Business on the DarkNet

March 14, 2016 Updated: March 21, 2016

The Chief Information Security Officer (CISO) for a firm that specializes in gaining intelligence on the criminal activities in the darkest corners of the Internet has revealed the existence of private marketplaces run by China’s cyberspies.

Ed Alexander is CISO for the California-based company DBI. In a phone interview, Alexander said these private marketplaces are where many of China’s state-sponsored hackers do their side work and sell stolen data to the highest bidders.

“Their primary allegiance is to China. Their secondary allegiance is to themselves,” said Alexander, in a phone interview.

DBI trains and manages “DarkNet” operatives-for-hire, who conduct human intelligence (HUMINT) operations on the DarkNet, and Alexander oversees these world’s largest CyberHUMINT teams.

Contrary to reports saying China’s state-run hackers are clumsy and poorly skilled, Alexander said that in the 10 years since his deployment of cyber-HUMINT operations, “these are the most sophisticated people I’ve seen.”

Even other nation–state hackers, such as those with the Syrian Electronic Army, he said, “[are] nowhere close to the sophistication of the Chinese.”

The Hidden Internet

There are two sides to the Internet. The part most of us use is called the Clearnet or the Surface Net, and includes all parts of the Internet that are searchable and readily accessible. The other part of the Internet is the deep Web, which constitutes about 94 percent of the actual Internet and includes all the data that search engines can’t see.

Within the deep Web, there are hidden websites that can only be accessed using specialized tools, such as The Onion Router (TOR) Web browser. This part of the Internet is called the DarkNet, and while it has several benign websites, it is also home to digital black markets such as the “Silk Road,” which sells illegal drugs and firearms.

The part of the DarkNet that DBI deals with, however, is deeper still. It gathers intelligence from invite-only and private forums where the real cybercriminal underground conducts its business.

DBI’s approach is in sharp contrast to the new entrant DarkNet intelligence startups, which only scrape data off the open DarkNet forums. DBI is the only company offering cyber-HUMINT operatives-for-hire, and it is employed by Fortune 500 companies, law enforcement, military, and intelligence agencies worldwide.

Alexander compared the environment on the DarkNet to that of a prison gang ecosystem. New people on the DarkNet are not seen as being part of the gangs. “They’re just outsiders looking around,” he said, and are always oblivious to the discussions that go on among the organizations running the show.

He said in these communities, DBI sees discussions on which government and business networks are being targeted, which ones have already been breached, and which ones have their data being sold to the highest bidders.

China’s State Hackers

When it comes to the Chinese DarkNet, the more public forums are typically used by the less experienced hackers. The marketplaces operated by the state hackers are much more difficult to access.

Alexander said these hackers have told his operatives they’re state sponsored. “They tell us they work for China,” Alexander said.

The DarkNet marketplaces used by China’s state hackers use a three-step, invite-only process for access.

All would-be members need to be proposed by a known member to a site’s admins for approval. Step 2, is to be vouched for by at least five known and trusted DarkNet denizens of echelon status. Finally, every buyer needs to demonstrate they have at least $100,000 of bitcoin in a digital wallet, which the buyer proves they control. Only after passing the vetting process does a new member then get access to shop and interact with other members.

Most of their clients are representatives from nation–states, and Alexander said there are buyers from a surprisingly large number of countries on their markets, including Russia and Iran.

He said the Chinese state hackers will sell to “any country that has enough money to pay them for their services—this is about money,” yet noted they strictly do not sell to representatives from terrorist organizations.

Stolen data for anywhere up to $75,000. Access to a business or government network goes for around $100,000. And if the client wants to hire them to breach a specific target, Alexander said they charge no less than $1 million.

The Chinese hackers run the market as their side business, Alexander said. While breaching networks for their day jobs under the Chinese regime, they’ll often steal additional data they can sell on the black market.

Chinese state hackers are often viewed as clumsy. During a segment on “60 Minutes” in October 2014, FBI Director James Comey said, “I liken them a bit to a drunk burglar. They’re kickin’ in the front door, knocking over the vase, while they’re walking out with your television set.”

Information from DBI shows a different picture. The Chinese state hackers breach networks under contract, steal what they were hired to steal, then take anything else they can sell on the side.

He also noted the hackers treat it like a business, noting “They’ll never resell the information.” It seems there is a kind of honor among these thieves.

Follow Joshua on Twitter: @JoshJPhilipp