In 2021, the White House Briefing Room issued a statement attributing malicious cyber activity and threats to the People’s Republic of China. In the statement, China was accused of using “criminal contract hackers to conduct unsanctioned cyber operations globally.” The activities of these Chinese hackers include ransomware attacks, cyber-enabled extortion, crypto-jacking, and theft.
One of the attacks cited in the brief was a Microsoft Exchange hack, which may have infected as many as 60,000 global users with malware. The attack compromised data from multiple sources, including six foreign ministries and eight energy companies.
China’s cyber-interests are quite varied:
- Indian Entities – Attacks on Air India have been linked to Advanced Persistent Threat (APT) 41, a Chinese state-sponsored threat actor
- COVID-19 – Chinese Hackers were indicted last year for hacking into COVID-19 research site at pharmaceutical giant Moderna. Chinese hackers have also been accused of trying to steal research from Spain.
- Asian telecoms – State-backed Chinese hackers compromised at least five global telecommunications providers, stealing phone records and location data
Ran Shahor, Retired Brig. General and HolistiCyber’s CEO says China will continue to develop its cyber program to support its long-term ambition of being the strongest superpower mid-term in the Pacific, and long-term on a global basis, surpassing the US in both cases. “Cyber will enable China to continue to develop its economy and military at a rate outstripping its competitors – and more cheaply.”
Many cyber threat actors are coming from China. Some include:
- China’s Ministry of State Security – accused by the US Cybersecurity & Infrastructure Security Agency (CISA) of targeting U.S. government agencies and executing cyber operations against them
- Hafnium – a cyber-attack group associated with the Chinese government and best known for its Microsoft Exchange attack
- APTs – There are multiple APTs associated with China. For example, APT30 focuses on Southeast Asian nations, while APT41 carries out Chinese state-sponsored espionage
Trends in Chinese state-sponsored attacks
U.S. intelligence organizations have noted these trends in Chinese nation-state cyber operations.
- Acquisition of infrastructure and capabilities – threat actors are staying on top of the latest security community’s best practices They use a revolving series of virtual private servers (VPS) and common open-source or commercial penetration tools to avoid detection and hide their activities.
- Exploitation of public vulnerabilities – cyber-actors look for targets in major applications that haven’t closed the vulnerability
- Encrypted Multi–Hop Proxies – cybercriminals use VPS coupled with small office and home office (SOHO) devices as operational nodes, which helps them avoid detection
A common tactic is for these threat actors to use VPSs to hide their activity waiting for vulnerabilities to be disclosed. Once identified, they scan networks looking for the published vulnerabilities and then use VPSs and SOHO routers for their operations.
Analysis of recent known Chinese attacks
Here is a look at some recent attacks that have come out of China:
- Taiwan Government – the self-ruled island reports over 5-million attacks and probes a day, with about half believed to come from China. Taiwan believes itself to be a sovereign nation, while China considers it to be part of its territory
- Microsoft Exchange Servers – this attack enabled China to insert backdoors into systems in companies and organizations from around the world, to which they can return to at a later date.
- APT31’s Jian – This zero-day exploit is built on an NSA hacking tool called EpMe. It was used between 2014-2017 to spy on companies, including Lockheed Martin, and discovered within the last year by Check Point.
- APT41’s ColunmTK Attack on Air India – while investigating a supply chain attack that stole data, investigators discovered a second attack that had lasted nearly three months, extracted over 23MB of data, and spread Cobalt Strike beacons to devices within the airline’s network
China’s state-sponsored cyber goals
Understanding China’s when it comes to cyberwarfare is highly instructive, as it can help organizations recognize whether they are a threat.
One driving force behind China’s data monitoring, particularly at the local level, is its desire to maintain social stability and national security. Having seen unrest plague and topple other regimes just a decade ago during the Arab Spring, they recognize its potential to cause unrest. Additionally, China wants to portray democracies as governments that don’t serve their populations. By breaking down that trust, China believes it reduces the likelihood that its population will attempt to overthrow the government in favor of democracy.
China also feels the need to defend its critical information infrastructure. Like other countries, it is increasingly dependent on information networks, and many of those networks come from U.S.-based companies. Through the theft of intellectual property, China can develop its own internal tools to protect itself.
What should we expect to see in the future?
Over the last year, we’ve seen more governments stand up to China. The statement mentioned earlier from the White House mentioned key allies and partners – the European Union, The United Kingdom, and NATO.
Experts hope that the show of solidarity will convince China to step back from its nefarious cyber activities. To date, China has consistently denied its involvement, making it unlikely that it will simply walk away.
We should expect to see a continued nation-state level cybersecurity threat emanating from China. IntSights report, “Dark Side of China: The Evolution of a Global Cyber Power,” claims that China wants to break down democracies, disrupt election cycles, and gain an economic advantage over its adversaries as a way to increase its power.
There’s no sign of that behavior slowing down.
What is the best defense against China’s nation-state grade attack?
There are a few steps every company should be taking to ensure protection against a Chinese attack.
Start with patching systems and equipment immediately upon learning of a threat. As mentioned earlier, these threat actors wait for announced vulnerabilities, and then try to exploit them before security teams have a chance to close them up.
Cybersecurity teams should also enhance their monitoring of network traffic, email, and endpoints, to look for new phishing attempts designed to compromise user credentials. Antivirus software and other protection tools can also be useful in automatically detecting malicious files and preventing them from being executed.
Effective cybersecurity is built on four key elements.
- Team – with experience facing nation-state grade attacks
- Methodology – proven processes that push back against attacks
- Holistic Approach – review your entire network footprint, covering every division within your company, from HR to supply chain
- Automation – leverage leading tech solutions.
To see how you can improve your security posture, get in touch with a HolistiCyber expert today!