Increasingly sophisticated Chinese-state sponsored cyber activity has been targeting U.S. political, economic, military, and educational organizations. The following trends have been observed:
- Acquisition of Infrastructure and Capabilities: Chinese state-sponsored cyber actors are highly aware of the information security community’s best practices. Actors mask their activities by leveraging a series of virtual private servers (VPSs) or common commercial penetration tools.
- Exploitation of Public Vulnerabilities: Chinese state-sponsored cyber actors scan target networks for critical and high vulnerabilities within days of a vulnerability’s public disclosure.
- Encrypted Multi-Hop Proxies: Chinese state-sponsored cyber actors have been observed to use a combination of a VPS and small/home office devices to evade detection.
To mitigate these attacks companies are urged to consider:
- Strong and Timely Patch Management: Organizations should patch critical and high vulnerabilities that allow for remote code execution or denial-of-service, especially on externally facing equipment.
- Enhanced Monitoring of Network Traffic, Email and Endpoint Systems: Organizations should review network signatures and indicators for focused activities, monitor for new phishing trends, and adjust email rules in a timely manner.
- Protection Capabilities to Stop Malicious Activity: Organizations should implement anti-virus software and other endpoint protection capabilities to detect and prevent malicious files from executing.
Detailed information about these threats and mitigation can be found here. Additionally, DoD’s Industrial Policy Office has developed Project Spectrum, a DoD-sponsored initiative that provides companies, institutions, and organizations with a comprehensive, cost-effective platform of cybersecurity information, resources, tools, and training.
BELOW IS THE MESSAGE FROM THE DEPARTMENT OF HOMELAND SECURITY
INTENDED FOR WIDEST DISTRIBUTION
Critical Infrastructure Partners,
As today’s announcement < Caution-https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/ > from the White House indicates, the cyber threat from the People’s Republic of China (PRC) continues to evolve and poses a real risk to the nation’s critical infrastructure, as well as businesses and organizations of all sizes at home and around the world. The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with National Security Agency (NSA) and Federal Bureau of Investigation (FBI), published new advisories to help organizations assess and harden their networks against malicious Chinese state-sponsored cyber actors.
First, CISA, NSA, and FBI published a Joint Cybersecurity Advisory < Caution-https://us-cert.cisa.gov/ncas/alerts/aa21-200b > (CSA) to detail various Chinese state- sponsored cyber techniques used to target U.S. and Allied networks. This advisory, “Chinese State-Sponsored Cyber Operations: Observed TTPs”, is a deep dive into the techniques used when targeting U.S. and Allied networks.
Second, CISA and FBI published a Joint Cybersecurity Advisory < Caution-https://us-cert.cisa.gov/ncas/alerts/aa21-200a > on a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. This advisory provides APT40’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds. This accompanies action by the U.S. Department of Justice (DOJ) today with unsealing indictment < Caution-https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion > s against four APT40 cyber actors for their illicit computer network exploitation (CNE) activities via front company Hainan Xiandun Technology Development Company (Hainan Xiandun).
Third, “CISA Insights: Chinese Cyber Threat Overview for Leaders < Caution-https://www.cisa.gov/publication/chinese-cyber-threat-overview-leaders > ” is a joint analysis from CISA, FBI, and NSA that provides recommendations to organizational public and private sector leadership to reduce the risk of cyber espionage and data theft from Chinese state-sponsored cyber actors. Chinese state-sponsored cyber actors aggressively target U.S. and Allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, emerging and key technology, intellectual property, and personally identifiable information (PII).
CISA also encourages users and administrators to review the blog post, Safeguarding Critical Infrastructure against Threats from the People’s Republic of China, < Caution-https://www.cisa.gov/blog/2021/07/19/safeguarding-critical-infrastructure-against-threats-peoples-republic-china > by CISA Executive Assistant Director Eric Goldstein and the China Cyber Threat Overview and Advisories < Caution-http://www.us-cert.cisa.gov/china > webpage.
CISA continues to work with our partners – both at home and abroad – to assess and identify malicious cyber activity by state-sponsored or criminals and provide the actionable information to our partners so they can protect their organization.
We encourage you to share this information widely.
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Sector.Partnership@CISA.DHS.GOV < Caution-mailto:Sector.Partnership@CISA.DHS.GOV >