International Defense Security & Technology Your trusted Source for News, Research and Analysis
Introduction
In the dynamic and ever-evolving realm of cybersecurity, the threat posed by China’s state-sponsored cyber actors stands out as both enduring and highly sophisticated. Backed by substantial resources and support from the Chinese government, these actors have developed a formidable arsenal of tactics to conduct cyber espionage and disrupt global operations. Their activities are not merely isolated incidents; they represent a systematic approach to gaining political, economic, and military advantages on the world stage. As organizations across the globe increasingly rely on digital infrastructure, understanding and addressing the threats posed by these cyber adversaries is paramount. In this article, we will explore the modus operandi of China’s state-sponsored actors, their targeted sectors, the broader global impact of their activities, and effective strategies for mitigation.
Modus Operandi and Targets
China’s state-sponsored cyber actors employ a diverse and sophisticated range of tactics, techniques, and procedures (TTPs) to achieve their strategic objectives. A key approach is exploiting vulnerabilities in software and systems, actively searching for weak points that can be used to gain unauthorized access to sensitive data. These actors are constantly on the lookout for flaws in widely-used applications, operating systems, and network infrastructure, leveraging any discovered weakness to infiltrate and establish a foothold within their target networks.
In addition to exploiting vulnerabilities, they rely heavily on deploying malware to achieve their goals. This malware is often highly sophisticated, designed not only to steal valuable information but also to disrupt operations, damage systems, or hold critical data hostage through ransomware attacks. Their malware campaigns can be extensive, sometimes remaining undetected for long periods, during which vast amounts of sensitive information are exfiltrated.
A particularly concerning method they employ is supply chain attacks. By targeting third-party vendors and suppliers, China’s cyber actors embed malicious code into legitimate software or hardware products, which then becomes widely distributed. This approach allows them to compromise entire ecosystems, infiltrating multiple organizations that rely on the compromised products, all while evading direct detection.
Moreover, these actors make use of social engineering techniques to manipulate individuals into unwittingly aiding their attacks. By exploiting human psychology, they trick employees or executives into revealing confidential information or clicking on malicious links, thereby opening the door to deeper network penetration. Social engineering has become a critical tool for bypassing even well-established cybersecurity defenses, as it targets the human element rather than technological vulnerabilities.
The range of their targets is broad, though their primary focus often falls on organizations holding valuable intellectual property, sensitive government information, or critical infrastructure. Defense contractors are among the most frequent targets, as gaining access to military secrets or cutting-edge technological innovations is a high priority for these actors. Stealing proprietary information related to defense technologies offers them a significant advantage in both military and industrial arenas.
Similarly, government agencies across the globe are key targets, as breaching government networks allows these actors to collect crucial intelligence on political, economic, and military matters. This information can be used to influence international negotiations, gain strategic advantages, or undermine the efforts of foreign governments.
Critical infrastructure providers, such as power grids, transportation networks, and telecommunications systems, are also of great interest. Attacks on these sectors can lead to widespread disruption, economic losses, and social unrest, all of which serve China’s broader geopolitical objectives. By undermining the stability of critical infrastructure, these cyber actors can create vulnerabilities that weaken nations’ overall resilience and security.
In summary, China’s state-sponsored cyber actors use a wide variety of tactics to breach networks, compromise systems, and gain access to sensitive information, with defense contractors, government agencies, and critical infrastructure providers being among their primary targets. These ongoing activities pose a significant threat to global security, making it imperative for organizations to adopt stringent cybersecurity measures to counter these persistent and evolving threats.
The joint Cybersecurity Advisory, co-authored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), highlights the relentless exploitation of known vulnerabilities by People’s Republic of China (PRC) state-sponsored cyber actors. This advisory underscores the critical importance of addressing these threats promptly and effectively.
PRC state-sponsored cyber actors have consistently exploited vulnerabilities in network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. These devices serve as gateways for cyber actors to infiltrate networks, routing command and control traffic and facilitating network intrusions. Often overlooked by cybersecurity defenders, these devices have become a preferred target due to their susceptibility and the challenges in maintaining routine software patching.
Since 2020, PRC state-sponsored cyber actors have launched extensive campaigns targeting publicly identified security vulnerabilities, referred to as Common Vulnerabilities and Exposures (CVEs). This approach allows them to breach victim accounts using publicly available exploit code against virtual private network (VPN) services and public-facing applications. Notably, this occurs without the use of distinct or identifiable malware, as long as the actors act before organizations update their systems.
Dynamic Tactics and Evolving Techniques
PRC state-sponsored cyber actors are continuously evolving and adapting their tactics to evade detection. These actors have been observed monitoring network defenders’ accounts and actions, adjusting their campaigns as necessary to remain undetected. They modify their infrastructure and toolsets following the release of information about their ongoing activities, blending their customized tools with publicly available ones to obscure their presence in the network’s noise.
Once PRC state-sponsored cyber actors gain access to a telecommunications organization or network service provider, they identify critical users and infrastructure. By obtaining credentials from critical servers, such as Remote Authentication Dial-In User Service (RADIUS) servers, they gain access to Structured Query Language (SQL) databases. These databases contain both cleartext and hashed passwords for user and administrative accounts.
Of particular concern is the targeting of major telecommunications companies and network service providers, where PRC state-sponsored cyber actors utilize open-source tools for reconnaissance and vulnerability scanning. Tools like RouterSploit and RouterScan enable them to identify vulnerabilities and conduct further exploitation of SOHO and other routers manufactured by industry giants such as Cisco, Fortinet, and MikroTik.
Armed with these credentials, the actors employ automated scripts to authenticate to routers via Secure Shell (SSH), execute router commands, and capture router configurations. These configurations are then exfiltrated to the actors’ infrastructure. Following this, they configure port mirroring to copy all network traffic to an interface, forwarding it through a tunnel to their controlled infrastructure.
Mitigation Strategies
To effectively mitigate the risks posed by China’s state-sponsored cyber actors, organizations must adopt a comprehensive cybersecurity strategy that addresses both technical vulnerabilities and human factors. A robust vulnerability management system should be a foundational element of this strategy. Regularly scanning for vulnerabilities, particularly in critical systems, is essential to identifying weak points that could be exploited by cyber actors. Once vulnerabilities are detected, applying patches or implementing workarounds should be a top priority to prevent unauthorized access to networks and data.
In addition to managing technical vulnerabilities, educating employees through security awareness training is equally important. Cyber actors often use social engineering techniques, such as phishing, to trick individuals into revealing sensitive information or clicking on malicious links. By teaching employees to recognize these threats, organizations can significantly reduce the risk of breaches caused by human error. Regular training sessions and simulated phishing attacks can help to reinforce good cybersecurity practices among staff members.
Incident response planning is another critical component of an effective cybersecurity strategy. Developing and testing comprehensive incident response plans ensures that organizations can react swiftly and effectively in the event of a cyberattack. These plans should include protocols for detecting and containing attacks, minimizing damage, and restoring systems to normal operation. By preparing for the worst-case scenario, organizations can limit the potential fallout from a breach and reduce downtime.
Adopting a zero-trust security model is a forward-thinking approach to cybersecurity that assumes no user or device can be trusted by default, whether inside or outside the organization’s network. In a zero-trust model, every user, device, or application must be authenticated and continuously verified before access to sensitive resources is granted. This approach reduces the chances of lateral movement by an attacker within the network, limiting their ability to cause widespread harm.
Seeking expert guidance from cybersecurity professionals can provide organizations with a clearer understanding of their risk profile and help them implement best practices tailored to their specific needs. Cybersecurity experts can offer insights into the latest threat intelligence, assist with the configuration of security technologies, and help monitor evolving threats.
The joint cybersecurity advisory issued by agencies such as the NSA, CISA, and FBI highlights several additional best practices for protecting against China’s state-sponsored cyber threats. Among these is the prompt application of patches to fix known vulnerabilities, especially in network devices like routers and firewalls that are often targeted. Compromised devices should be isolated to prevent attackers from gaining further access. Segmenting networks to create isolated zones for sensitive systems and enforcing multifactor authentication (MFA) can also significantly strengthen security.
Disabling unused network services, ports, and protocols can reduce the attack surface, making it more difficult for cyber actors to find entry points. Implementing strict password policies, including complex requirements and frequent account reviews, further bolsters security. Regular backups of critical data, coupled with well-rehearsed recovery procedures, ensure that organizations can quickly recover from ransomware or other destructive attacks.
Isolating Internet-facing services in a Demilitarized Zone (DMZ) is another critical step in limiting exposure to outside threats. Additionally, robust logging of activities related to Internet-facing services, combined with vigilant monitoring, can help detect early signs of compromise. By maintaining dedicated management systems and accounts for system administrators and enforcing strict access controls, organizations can safeguard key areas of their network infrastructure.
Finally, enabling comprehensive logging and reviewing network infrastructure changes and access logs provides organizations with the necessary insights to detect malicious activity early and respond before attackers can cause significant damage. Together, these mitigation strategies form a layered defense that significantly reduces the risk of successful cyberattacks by China’s state-sponsored actors.
Global Impact
China’s state-sponsored cyber operations have a profound and far-reaching impact on the global economy and society, affecting a wide array of sectors. One of the most immediate consequences is the significant financial losses incurred by targeted organizations. These losses arise from data breaches, ransomware attacks, and operational disruptions that often result in costly downtime and reputational damage. As businesses are forced to divert resources to mitigate the effects of these attacks, they may also face long-term consequences such as loss of revenue, diminished consumer confidence, and the expense of implementing new cybersecurity measures. In some cases, intellectual property theft can cause even greater harm, as stolen innovations or trade secrets can lead to competitive disadvantages, particularly in industries where research and development are critical.
The erosion of public trust is another major repercussion of these cyber activities. When organizations, whether in the private or public sector, suffer security breaches that compromise sensitive data, consumers, stakeholders, and citizens may lose confidence in their ability to safeguard critical information. This loss of trust can extend beyond the affected organization and spread to broader sectors such as finance, healthcare, or government services, undermining confidence in the integrity of digital transactions and communications. In the wake of high-profile breaches, public fear of cybersecurity vulnerabilities often grows, leading to a general distrust of online platforms and services.
At a higher level, the national security risks posed by China’s state-sponsored cyber actors cannot be overstated. By targeting government agencies and military contractors, these actors gain access to highly sensitive political, economic, and military information that can be used to undermine national interests. The theft of classified documents, defense technology, and intelligence data can have serious implications for a country’s ability to protect itself and maintain strategic advantages in global conflicts. Additionally, the disruption of critical infrastructure such as power grids, telecommunications networks, and transportation systems can lead to economic paralysis, social unrest, and even endanger civilian lives.
In this way, China’s cyber operations not only threaten individual organizations but also have the potential to destabilize entire economies, erode public trust in key institutions, and endanger national security. Their persistent and increasingly sophisticated cyber campaigns make it clear that global cybersecurity is at risk, and collective action is required to defend against these threats. Governments and corporations alike must work together to address the impact of these cyber operations and bolster their defenses in the face of an evolving and persistent threat.
Global Response to the Threat
In response to the global impact of China’s state-sponsored cyber activities, countries and organizations around the world are taking significant steps to bolster their cybersecurity defenses and mount a coordinated defense against these threats. One of the most critical components of the global response has been the collaboration between governments, private sector entities, and international bodies to share information, develop comprehensive cyber policies, and enhance defensive capabilities. Many nations, particularly in the West, have established partnerships to share intelligence on cyber threats, issue joint advisories, and provide guidance on best practices to prevent cyberattacks. This collective approach allows countries to more effectively identify and counteract the tactics employed by state-sponsored actors like those from China.
The imposition of sanctions and diplomatic measures has also become a key part of the global response to China’s cyber activities. The United States, the European Union, and several other countries have publicly condemned China for its involvement in malicious cyber operations and, in some cases, have imposed sanctions on individuals and entities linked to these activities. These actions are intended not only to punish those directly involved but also to send a strong message that state-sponsored cyberattacks will not be tolerated. Diplomatic efforts have also been aimed at pressuring China to curb its cyber activities, though the effectiveness of these measures remains limited given the covert nature of cyber warfare.
In addition to sanctions and diplomatic measures, there has been a growing focus on developing and enforcing international norms and agreements around cyber behavior. Efforts by the United Nations and other international organizations have led to discussions about establishing global norms of responsible state behavior in cyberspace. These discussions aim to create an international framework that holds countries accountable for cyberattacks and encourages greater transparency and cooperation in addressing cyber threats. While progress in this area has been slow, the increasing frequency and severity of cyber incidents have underscored the need for a global consensus on acceptable behavior in cyberspace.
From a technological standpoint, nations are investing heavily in cybersecurity infrastructure and research to stay ahead of emerging threats. Governments are working closely with cybersecurity firms and research institutions to develop advanced technologies, such as artificial intelligence (AI) and machine learning (ML), to detect and counter cyberattacks in real time. Additionally, critical infrastructure sectors, such as energy, finance, and telecommunications, are being prioritized for enhanced cybersecurity measures to mitigate the risks posed by state-sponsored actors. The development of quantum-proof encryption methods, in response to the potential future threat of quantum computing in cracking traditional encryption, is also part of this broader effort to strengthen defenses.
The private sector has played an essential role in responding to the global cybersecurity threat as well. Companies across industries have recognized the importance of protecting their networks and data from state-sponsored cyberattacks. Many have implemented more rigorous security protocols, adopted zero-trust security models, and increased investments in cybersecurity solutions. Collaboration between governments and the private sector has also deepened, with public-private partnerships being formed to exchange threat intelligence and coordinate responses to cyber incidents. Major technology firms are contributing to this effort by sharing insights and tools to help smaller organizations defend against sophisticated cyberattacks.
Overall, the global response to China’s state-sponsored cyber actors has evolved into a multifaceted approach that combines diplomatic pressure, international cooperation, technological innovation, and collaboration between public and private sectors. While challenges remain, particularly in the enforcement of international norms and the complexity of attribution in cyberattacks, the global community has made significant strides in strengthening defenses and addressing the growing cyber threat landscape. Continued vigilance and cooperation will be essential to counter the evolving tactics of state-sponsored actors and safeguard global cybersecurity.
The Path Forward
The path forward in combating the threat posed by Chinese state-sponsored cyber actors requires a comprehensive, multi-faceted approach that addresses vulnerabilities at various levels. One of the foundational steps is strengthening cyber hygiene across organizations. With cyberattacks increasingly leveraging human error, organizations must prioritize cybersecurity training and awareness programs. By educating employees on how to recognize and respond to social engineering and phishing attempts, organizations can reduce the risk of these attacks succeeding. This proactive approach ensures that even the most sophisticated cyberattacks face an additional barrier of human awareness.
In tandem with improving awareness, organizations must implement advanced security measures to safeguard their networks and data. Technologies such as multi-factor authentication (MFA), encryption, and intrusion detection systems (IDS) should be standard across critical infrastructure and high-value assets. MFA adds a crucial layer of protection by requiring multiple credentials for access, while encryption secures sensitive data both at rest and in transit. Additionally, IDS helps detect potential breaches in real-time, enabling swift response and mitigation. By adopting these advanced security measures, organizations can fortify their defenses against sophisticated cyber threats.
Investment in cybersecurity research is also vital for staying ahead of rapidly evolving cyber tactics. As cyber actors continue to develop more advanced methods of attack, the need for innovative defensive strategies becomes paramount. Governments, academic institutions, and private sector companies must work together to fund and conduct research that pushes the boundaries of cybersecurity. Research into artificial intelligence, machine learning, and quantum-resistant encryption are just some of the areas that hold promise for developing next-generation solutions capable of countering emerging cyber threats.
Fostering international collaboration is another essential element in addressing state-sponsored cyber threats. Cyberattacks are borderless by nature, making it imperative for nations to work together to establish a framework for global cooperation. This collaboration can involve sharing threat intelligence, best practices, and strategies for responding to cyber incidents. International bodies, such as NATO, the United Nations, and regional cybersecurity coalitions, have already begun laying the groundwork for such cooperation, but more needs to be done to create a truly unified global defense against cyber threats.
Finally, advocating for the establishment of cyber norms on the international stage is crucial for creating accountability and reducing the likelihood of cyber conflicts. By promoting the adoption of clear and enforceable standards of state behavior in cyberspace, the international community can pressure rogue actors into compliance and set the stage for diplomatic resolutions to cyber disputes. Establishing these norms would help define what constitutes acceptable cyber behavior and provide a foundation for punitive measures against those who violate them.
In conclusion, the path forward against the threat posed by Chinese state-sponsored cyber actors requires a concerted effort from governments, organizations, and international institutions. Through stronger cyber hygiene, advanced security measures, ongoing research, international collaboration, and the promotion of cyber norms, the global community can better defend against the persistent and growing cyber threat landscape.
Conclusion
China’s state-sponsored cyber actors represent a persistent and highly sophisticated threat to global cybersecurity. Organizations, governments, and private sector entities must remain vigilant, applying best practices and promptly addressing vulnerabilities to mitigate the risk of compromise.
By comprehending their tactics, targets, and potential impact, organizations can implement effective mitigation strategies to safeguard their assets and data. Collaboration among governments, organizations, and cybersecurity professionals is pivotal in combating these threats and enhancing global cybersecurity resilience. It is a shared responsibility to safeguard our digital landscape from these evolving and persistent threats.
