China’s State-Sponsored Cyber Actors: A Persistent Threat to Global Cybersecurity

Related Articles

China’s Quantum Satellites: Paving the Way for a Global Unhackable Ground and Space Network Infrastructure

39 mins ago

Navigating the Global Nuclear Power Landscape: Trends, Challenges, and Opportunities

2 days ago

Navigating Turbulence: The European Economic Security Strategy Amid Geopolitical Tensions

2 days ago

Introduction

In the dynamic realm of cybersecurity, the threat posed by China’s state-sponsored cyber actors stands out as both enduring and highly sophisticated. Operating with the backing and resources of the Chinese government, these actors present a substantial risk to organizations worldwide.

 

Modus Operandi and Targets

China’s state-sponsored cyber actors employ a wide array of tactics, techniques, and procedures (TTPs) to achieve their objectives. These encompass:

Exploiting vulnerabilities: Actively seeking and exploiting software and system vulnerabilities to gain unauthorized access to networks and sensitive data.

Malware deployment: Deploying sophisticated malware to exfiltrate sensitive information, disrupt operations, or hold data hostage for ransom.

Supply chain attacks: Targeting third-party software and hardware suppliers to compromise the supply chain and embed malicious code into widely-used products.

Social engineering: Utilizing social engineering techniques to manipulate individuals into revealing sensitive information or clicking on malicious links.

The scope of their targets is extensive, but they frequently focus on organizations that possess valuable intellectual property, sensitive government information, or critical infrastructure. These targets encompass:

Defense contractors: Their pursuit of military secrets and advanced technology remains a primary objective for China’s state-sponsored cyber actors.

Government agencies: Gaining access to government networks and data provides China with crucial insights into political, economic, and military affairs.

Critical infrastructure providers: Disrupting vital infrastructure, such as power grids and transportation systems, can result in widespread economic damage and social unrest.

Global Impact and Mitigation Strategies

The activities of China’s state-sponsored cyber actors exert a considerable impact on the global economy and society. Their actions can lead to:

Financial losses: Data breaches, ransomware attacks, and business disruptions can result in substantial financial losses for affected organizations.

Erosion of trust: Public trust in institutions and organizations can be eroded when their data is compromised or their systems are disrupted.

National security threats: The theft of sensitive government information and the disruption of critical infrastructure can pose a significant threat to national security.

To mitigate the risks posed by China’s state-sponsored cyber actors, organizations should establish a comprehensive cybersecurity strategy that includes:

Vulnerability management: Regularly scanning systems for vulnerabilities and promptly applying patches or workarounds.

Security awareness training: Educating employees about cybersecurity risks and how to identify and avoid phishing attacks and other social engineering tactics.

Incident response planning: Developing and testing incident response plans to effectively respond to cyberattacks and minimize damage.

Adopting a zero-trust security model: Implementing a zero-trust security model that verifies the identity of users and devices before granting access to resources.

Seeking expert guidance: Consulting with cybersecurity experts to assess risks, implement appropriate security measures, and stay informed about evolving threats.

 

The joint Cybersecurity Advisory, coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), highlights the relentless exploitation of known vulnerabilities by People’s Republic of China (PRC) state-sponsored cyber actors. This advisory underscores the critical importance of addressing these threats promptly and effectively.

Exploiting Common Vulnerabilities

PRC state-sponsored cyber actors have consistently exploited vulnerabilities in network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. These devices serve as gateways for cyber actors to infiltrate networks, routing command and control traffic and facilitating network intrusions. Often overlooked by cybersecurity defenders, these devices have become a preferred target due to their susceptibility and the challenges in maintaining routine software patching.

Since 2020, PRC state-sponsored cyber actors have launched extensive campaigns targeting publicly identified security vulnerabilities, referred to as Common Vulnerabilities and Exposures (CVEs). This approach allows them to breach victim accounts using publicly available exploit code against virtual private network (VPN) services and public-facing applications. Notably, this occurs without the use of distinct or identifiable malware, as long as the actors act before organizations update their systems.

Dynamic Tactics and Evolving Techniques

PRC state-sponsored cyber actors are continuously evolving and adapting their tactics to evade detection. These actors have been observed monitoring network defenders’ accounts and actions, adjusting their campaigns as necessary to remain undetected. They modify their infrastructure and toolsets following the release of information about their ongoing activities, blending their customized tools with publicly available ones to obscure their presence in the network’s noise.

Table 1 lists the most frequently exploited network device CVEs since 2020. Of particular concern is the targeting of major telecommunications companies and network service providers, where PRC state-sponsored cyber actors utilize open-source tools for reconnaissance and vulnerability scanning. Tools like RouterSploit and RouterScan enable them to identify vulnerabilities and conduct further exploitation of SOHO and other routers manufactured by industry giants such as Cisco, Fortinet, and MikroTik.

Telecommunications and Network Service Provider Targeting

Once PRC state-sponsored cyber actors gain access to a telecommunications organization or network service provider, they identify critical users and infrastructure. By obtaining credentials from critical servers, such as Remote Authentication Dial-In User Service (RADIUS) servers, they gain access to Structured Query Language (SQL) databases. These databases contain both cleartext and hashed passwords for user and administrative accounts.

Armed with these credentials, the actors employ automated scripts to authenticate to routers via Secure Shell (SSH), execute router commands, and capture router configurations. These configurations are then exfiltrated to the actors’ infrastructure. Following this, they configure port mirroring to copy all network traffic to an interface, forwarding it through a tunnel to their controlled infrastructure.

Mitigating the Threat

The joint advisory emphasizes the importance of promptly applying patches, isolating compromised devices, segmenting networks, and enforcing multifactor authentication (MFA). Additional best practices include:

1. Disabling unused or unnecessary network services, ports, protocols, and devices.
2. Implementing strict password requirements and regular account reviews.
3. Performing data backup procedures and maintaining incident response and recovery procedures.
4. Isolating Internet-facing services in a Demilitarized Zone (DMZ) to reduce internal network exposure.
5. Enabling robust logging of Internet-facing services and monitoring the logs for compromise signs.
6. Using dedicated management systems and accounts for system administrators, protected by strict network policies.
7. Enabling robust logging and reviewing of network infrastructure accesses, configuration changes, and critical infrastructure services.

Conclusion

China’s state-sponsored cyber actors represent a persistent and highly sophisticated threat to global cybersecurity. Organizations, governments, and private sector entities must remain vigilant, applying best practices and promptly addressing vulnerabilities to mitigate the risk of compromise.

By comprehending their tactics, targets, and potential impact, organizations can implement effective mitigation strategies to safeguard their assets and data. Collaboration among governments, organizations, and cybersecurity professionals is pivotal in combating these threats and enhancing global cybersecurity resilience. It is a shared responsibility to safeguard our digital landscape from these evolving and persistent threats.