Political affiliations aside, Trump’s hardened stance on China as well as continued trade conflicts has exacerbated longstanding mistrust. Chinese cyber-attacks on the U.S. seem to be a response to these tense conditions.
The PLA (People’s Liberation Army) and the Ministry of State Security (MSS) have time and again be identified by the intelligence community as well as private entities as initiators of cyber-attacks against other states. Attacks come from both internal entities as well as private China-based groups.
Policies such as the recurring “The Five-Year Plan” and “Made in China 2025” seem to be drivers behind attacks. China is targeting industries that will help them gain a competitive advantage in meeting their goals.
Faced with an onslaught of such magnitude, private organizations must take all necessary precautions to not fall victim. A recent alert issued by CISA (Cybersecurity and Infrastructure Security Agency) spells out the need to take action.
Who is Most at Risk?
CISA has also outlined a threat profile for China which may help concerned businesses and organizations determine their susceptibility.
Industries that are key in this global battle are:
- New energy vehicles
- Information technology, especially next-gen
- Maritime engineering and high-spec ships
- Aerospace technology
- Agricultural machinery
Organizations and industries in these sectors should exercise elevated caution. However, there is also a general threat to any business with valuable intellectual property (IP) that it may be illegitimately obtained by agents from within China. In 2019, CNBC reported that 1 in 5 U.S. companies had IP stolen within the span of a year from China.
A relevant, recent indication is how China targeted COVID-19 research facilities to obtain IP related to vaccines, treatments, etc.
Individuals within organizations are also under personal threat. Cyber activities from actors also include theft of personal identification information to gain access to sensitive collateral or for higher security clearance.
What Cyber Attacks are Used by China?
IoC’s (Indicators of Compromise) are any forensic artifacts or signs that indicate an attack has taken place with high confidence. The most common TTPs (tactics, techniques, and procedures), mapped according to the MITRE ATT&CK framework, highlighted by the CISA include:
- Acquiring and using third-party software (T1330)
- Compromising third-party infrastructure to support delivery (T1334)
- Domain Registration Hijacking (T1326)
- Acquire Open-Source Intelligence (OSINT) Data Sets and Information (T1247)
- Conduct Active Scanning (T1254)
Publicly available testing tools and legitimate software are also frequently used and may be IoC’s if appearing out of context:
- Cobalt Strike and Beacon
- PowerShell Empire
- China Chopper Web Shell
Of further concern is that most efforts are aimed at sustained APT (advanced persistent threat) attacks. This allows a stealthy threat actor to maintain unauthorized access to systems for a prolonged period. In this way, the actor can lay in wait for valuable information and opportunities to appear, leeching off a compromised host.
Best Steps to Prevent, Mitigate, or Recover From Attacks
In the announcement, the CISA outlined various actions to help minimize the impact of these attacks. An overriding theme is to spread awareness within the organization to all internal stakeholders. Every employee must understand the risks and threats and what actions to take to report and recover from incidents.
- Diligently and routinely patch systems, especially those identified as vulnerable and with known CVEs
- Implement rigorous configuration management programs to identify IoCs more effectively
- Disable unnecessary ports, protocols, and services to limit threat vectors
- Robustly monitor all network and email traffic
- Use the necessary protection, such as antivirus software, endpoint protection systems, and professional security services
Although there are signs of hope with agreements against cyber-attacks between these two global superpowers, the reality today is still fraught with danger. Cyber-attacks from China against the U.S., U.S. businesses, and other global actors are still a real threat. Spreading awareness within organizations and ensuring structures are in place to handle incidents are the best ways to fortify your operations.