Author: John Calum Mcphee

 

Introduction

The Georgian Dream (GD) party’s foreign policy reorientation is pushing Georgia into the arms of the People’s Republic of China (PRC). The influence of the PRC is continually growing in Georgia, notably with the announcement of a “strategic partnership” in 2023. While inviting in the PRC presents a slew of strategic security risks for Georgia, a pressing concern is information security and cybersecurity. Based on weak cybersecurity trends in devices with a PRC origin, as well as a significant state nexus with the country’s private sector, this analysis suggests that by acquiring PRC technology, the Georgian government is exposing itself to preventable cyber harms. Information and cybersecurity risks are present in Georgia’s collaboration with Huawei, in its procurement of PRC surveillance technology, as well as in the prevalence of consumer PRC-origin internet of things (IoT) devices.

Technological cooperation with the PRC presents serious information and cybersecurity risks due to the legislation and practices of the state itself. PRC intelligence agencies, such as those within the People’s Liberation Army (PLA), Ministry of State Security (MSS), and Ministry of Public Safety (MPS), maintain informal and formal linkages with the country’s private sector. Moreover, PRC legislation and government influence does not allow for the country’s private sector or citizens and entities to “…meaningfully resist a direct request [for assistance] from security forces or law enforcement.” Beyond consensual collaboration, a number of devices produced by companies based in the PRC possess an “unusual degree of vulnerabilities,” which have been exploited by MSS-linked cyber threat actors to execute cyber operations.

| Consumer Cellular Technology 

Under the direction of GD, Georgia will almost certainly continue technological collaboration with the PRC’s private sector, notably through PRC-based company Huawei Technologies Co., Ltd. In 2023, then Georgian Prime Minister Irakli Garibashvili visited a Huawei facility in Beijing and “…discussed the prospects of cooperation […] in various fields.” As a company, Huawei has garnered controversy for its connections with the PRC government, which resulted in punitive action from the US government in 2019. Huawei’s staff and founder are linked to PRC military and intelligence services, with numbers of employees having previously served with the MSS and PLA’s Cyberspace Force (CSF). Overlapping employment is a particular concern as, according to leaked resumes, MSS affiliates and PLA CSF staff have held simultaneous positions at Huawei while still in government service.

Aside from US sanctions, Huawei has faced intense scrutiny and implication in either being unable to prevent, or being willfully complicit      in, computer intrusions. Along with the US, New Zealand, Japan, the United Kingdom, Canada, Australia, and others, are disconnecting Huawei from their 5G networks, citing security concerns. While it is unlikely Huawei personally participates in offensive cyber operations, they are linked to MSS front company Guangzhou Boyu Information Technology Co. (Boyusec), also known by its cybersecurity industry name Advanced Persistent Threat 3 (APT3). Through Boyusec, the MSS conducted numerous cyber espionage operations, such as a campaign of exploiting vulnerabilities in Adobe Flash Player, known as Operation Clandestine Fox. Huawei has equally held contracts to develop surveillance technology, such as voice recording analysis, facial recognition, and geolocation.

| Surveillance Cameras & Surveillance Technology

Huawei is not the only PRC entity to which Georgia is exposing itself. The Georgian government is acquiring security cameras from Hangzhou Hikvision Digital Technology Co., Ltd. and Zhejiang Dahua Technology Co., Ltd., who are the source of over 80% of the country’s security cameras. From a cybersecurity perspective, Hikvision and Dahua Tech cameras are disproportionately exposed to technical vulnerabilities, with numerous examples of compromises using “low skill level” techniques. Hikvision specifically is deeply connected to the PRC government, almost certainly being founded, fully owned, and controlled by the state.

Given that the PRC researches computer vulnerabilities      through the MSS-linked China Information Technology Evaluation Center (CNITSEC), they would      almost certainly be able to identify similar insecurities. PRC legislation necessitates the reporting of technical vulnerabilities by businesses in the country to the government prior to public disclosure. CNITSEC additionally operates the China National Vulnerability Database (CNNVD), which, along with the PRC’s Ministry of Industry and Information Technology (MIIT), and the MPS’ own vulnerability databases, present expansive banks of non-public technical vulnerabilities accessible to the state. Other sources of state-sponsored vulnerability research, such as domestic cybersecurity competitions, have been weaponized for offensive cyber operations, thus it is unlikely resources like CNNVD are strictly defensive.

| Endpoints & Internet of Things (IoT) Devices

Outside of government contracts, PRC-origin consumer devices are equally relevant in Georgia’s cyber threat landscape. Common small office and home office (SOHO) routers, as well as other internet of things (IoT) devices, such as web-connected printers, play a significant role in PRC cyber operations. IoT devices have been co-opted and integrated into operational relay boxes (ORB) networks, which are “…akin to botnets.” PRC cyber actors use ORB networks to obfuscate the origin of malicious cyber operations, such as deploying malware, gaining unauthorized access, and exfiltrating data, among other offensive activity. ORB networks used by PRC cyber actors are often composed of IoT devices, such as Hikvision cameras, produced by PRC-based companies.

PRC-origin devices within ORB-style networks appear in cases such as CovertNetwork-1658, which was mostly a collection of co-opted SOHO routers produced by PRC-linked company TP-Link. Like Hikvision and Dahua Tech cameras, TP-Link routers drew criticism from US lawmakers for an “…unusual degree of vulnerabilities.” Recent PRC offensive cyber operations have used similar ORB-style networks, including those connected to cyber threat actors known as Flax Typhoon and Volt Typhoon. The latter was implicated in prepositioning access on systems related to critical infrastructure.

| Conclusion & the Future

While Georgia is currently on positive terms with the PRC, this by no means indicates that they will not be subject to current and future cyber espionage, which will almost certainly be enabled by PRC-origin technology. Infact, a subgroup of APT41, a PRC cyber actor linked to the MSS, has already been observed making connections to systems in Georgia, thus it is likely that cyber espionage is currently on-going.

The PRC targets allies with cyber espionage,      as seen      in the case      of Russian state-owned defense company Rostec, from which PRC cyber actors sought “…sensitive military technological information.” Participants in the Belt and Road Initiative (BRI), which includes Georgia, have been subjected to economically-driven PRC cyber espionage. Given Georgia and the PRC’s relationship, there is sufficient motive for the PRC to leverage cyber espionage to gain      an informational advantage in diplomatic and economic negotiations. Georgia’s relatively small size and geopolitical footprint      do      not keep it out of the PRC’s crosshairs, as governments across Africa and the Middle East have been targeted in PRC cyber espionage campaigns.

By acquiring and utilizing PRC-origin technology, Georgia not only exposes itself to information and cybersecurity risks from the PRC, but equally from other actors exploiting the devices’ inadequate protection. Russian cyber actors accessed Hikvision security cameras in Ukraine to assess the effectiveness of missile strikes, as well as to collect footage for propaganda production.

Georgia opening its consumer market to PRC-produced or connected devices creates a permissive environment for PRC cyber actors to co-opt IoT devices, such as SOHO routers, to build covert networks. This is especially relevant as governments,      like those of the US, UK, Australia, New Zealand, and Canada, further dismantle PRC covert networks and digital infrastructure, most recently the aforementioned Flax Typhoon botnet. As Georgia continues to import PRC technology, cyber espionage directed at, and routed through, the country will almost certainly continue to rise.