Chinese cyber espionage and the Belt & Road Initiative

Thursday 3 October 10:00 - 10:30, Green room

Thomas Thomasen (Deloitte)
Loucif Kharouni (Deloitte)

The purpose of this paper is to demonstrate that one of the key drivers of Chinese cyber espionage is the Belt & Road Initiative (BRI). Also known as the New Silk Road, the BRI focuses primarily on Central Asia, but the ramifications of the BRI also affect entities outside Central Asia. Deloitte CTI continues to observe significant targeting along the New Silk Road. The examples of targeting in this paper are not intended to be exhaustive; rather, they are intended to demonstrate the scope and the persistent nature of Chinese cyber espionage operations against countries with BRI projects and countries with technology and know-how that are relevant to the BRI.

The goal of this paper is not to provide evidence of attribution to specific Chinese government organizations; rather, it is to demonstrate that the activities detailed herein align with the intelligence priorities of China in the region. This paper is based on a variety of data sources, including open source as well as Deloitte CTI internal sources.

This study is composed of two major sections:

  • A discussion of what the Belt & Road Initiative is, including its intelligence dimensions and the ways in which it ties into the strategic plans of China. This part will include a description of the Chinese intelligence services with a foreign intelligence mission.
  • Provide recent examples of intrusion activity, including high-level analysis of malware deployed against targets, C2 infrastructure and TTPs employed by adversaries targeting the states along the New Silk Road.



Thomas Thomasen

Thomas Thomasen is a threat researcher with Deloitte’s Global Cyber Threat Intelligence team based out of Copenhagen, Denmark. Thomas has a background in intrusion analysis and has extensive experience with tracking APTs, including their operations, capabilities and intentions. Prior to joining Deloitte, Thomas worked for the Danish Defence, focusing on APT activity.



Loucif Kharouni

Loucif Kharouni is the VP, Service Delivery for Threat Intelligence at Deloitte based out of Seattle. He leads multiple remote teams across the US, Europe and Asia Pacific of highly skilled professionals. Loucif has a background in cybercriminal methodology and behaviour and has extensive expertise in intelligence gathering and tracking down cybercriminals. He has written, discussed, and presented about topics that include targeted attacks, financial threats, bulletproof providers, and the cybercrime economy. Prior to Deloitte, Loucif worked for the Trend Micro research team and focused on adversaries’ investigations and their activities that led to multiple arrests in collaboration with various law enforcement agencies. Loucif has participated as a speaker in various professional cybercrime conferences over the years such as Cert EE, Virus Bulletin, M3AAWG, APWG, SERENE-RISC and RISE.

Back to VB2019 Programme page

Other VB2019 papers

Operation Soft Cell - a worldwide campaign against telecommunication providers

Amit Serper (Cybereason)
Mor Levi (Cybereason)
Assaf Dahan (Cybereason)

Defeating APT10 compiler-level obfuscations

Takahiro Haruyama (Carbon Black)

A study of Machete cyber espionage operations in Latin America

Veronica Valeros (Czech Technical University in Prague)
Maria Rigaki (Czech Technical University in Prague)
Kamila Babayeva (Czech Technical University in Prague)
Sebastian Garcia (Czech Technical University in Prague)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.