US agency red flags Chinese state-affiliated cyberattacks

The Cybersecurity and Infrastructure Security Agency (CISA), a national risk advisor that forms part of the US Department of Homeland Security, pulled no punches in an "alert" about China published on its website.

"[CISA]," it said, "has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques and procedures to target US government agencies."

Gotcha: Spear fishing emails are targeted, using personal information to mimic authentic mail and fool people into trusting them.  (Source: Gerry Lauzon on Flickr CC 2.0)
Gotcha: Spear fishing emails are targeted, using personal information to mimic authentic mail and fool people into trusting them.
(Source: Gerry Lauzon on Flickr CC 2.0)

The hackers have also targeted private sector companies and other entities, exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.

The report comes against a backdrop of US sanctions against Chinese supplier Huawei, which President Donald Trump has repeatedly claimed is at the beck and call of the Chinese state.

The latest CISA report on China looks bound to fuel those suspicions, even though it made no explicit mention of the Chinese supplier.

All too easy
Aside from the ongoing cyberattacks, CISA expressed anxiety that "continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks."

In most cases, bemoaned the national risk advisor, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits.

One trick up the sleeves of malevolent actors is misappropriation of legitimate information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).

Shodan is an Internet search engine that can be used to identify vulnerable devices connected to the Internet.

The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances and operating systems that can be exploited by cyber threat actors if they remain unpatched.

"Widespread implementation of robust configuration and patch management programs would greatly increase network security," said CISA.

"It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools."

Gone spear-phishing
CISA has also observed Chinese MSS-affiliated actors in the last 12 months use spear-phishing emails with embedded links to actor-owned infrastructure in order to gain initial access to the target network.

Spear-phishing emails have also been used, said CISA, "to compromise or poison legitimate sites to enable cyber operations."

Want to know more about security? Check out our dedicated security channel here on Light Reading.

According to a recent US Department of Justice indictment, two Chinese MSS-affiliated hackers – in a campaign that allegedly lasted more than ten years – targeted various industries across the US and other countries.

Sectors in the firing line included high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense.

The two hackers, claimed the US Department of Justice, acted for both their own personal gain and the benefit of the Chinese MSS.

Related posts:

— Ken Wieland, contributing editor, special to Light Reading

Be the first to post a comment regarding this story.
Sign In