U.S. security agencies have once again come together to release a joint cybersecurity advisory detailing various Chinese state-sponsored cyber techniques used to target U.S. and allied networks. The administration has detailed information on an alleged Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40.
The joint analysis provides a summary of the Chinese state-sponsored cyber threat to the U.S. federal government; state, local, tribal, and territorial (SLTT) governments; critical infrastructure organizations and private industry, and provides recommendations for organization leadership, to reduce the risk of cyber espionage and data theft. Critical infrastructure includes those crucial sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
The advisory discloses APT40’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds. The cyber threat from the People’s Republic of China (PRC) continues to evolve and poses a real risk to the nation’s critical infrastructure, as well as businesses and organizations of all sizes in the U.S. and around the world.
APT40, also known as BRONZE MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope and Temp.Jumper, is located in Haikou, Hainan Province, PRC, and has been active since at least 2009. APT40 has targeted governmental organizations, companies, and universities across industries, including biomedical, robotics, and maritime research, across the U.S., Canada, Europe, the Middle East, and the South China Sea area, as well as industries included in China’s Belt and Road Initiative, the agencies said.
“Today, we joined our partners at the Federal Bureau of Investigation and National Security Agency to release a joint cybersecurity advisory detailing various Chinese state-sponsored cyber techniques used to target U.S. and allied networks,” Eric Goldstein, executive assistant director at the Cybersecurity and Infrastructure Security Agency (CISA), said in a post on Monday. “With the Department of Justice unsealing indictments related to Advanced Persistent Threat 40 (APT40) cyber hackers, CISA and FBI published a joint advisory providing technical details of their malicious activities and how to mitigate this threat.”
This year, the U.S. Intelligence Community assessed that the PRC has been dispensing a prolific and effective cyber-espionage threat that possesses substantial cyberattack capabilities, according to a CISA publication. The PRC’s cyber-espionage operations have included compromising telecommunications firms, providers of managed services and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations.
The PRC’s cyber-espionage operations and coordinated theft of information and technology positions the U.S. government, critical infrastructure, and private industry organizations at risk of loss of sensitive data and technology, trade secrets, intellectual property, and personally identifiable information (PII).
CISA, NSA and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting political, economic, military, educational, and critical infrastructure personnel and organizations. Target sectors include managed service providers, semiconductor companies, the defense industrial base (DIB), universities, and medical institutions.
During the past several years, the Department of Justice (DoJ) has charged, indicted or sentenced PRC-affiliated cyber hackers with computer intrusion campaigns targeting multiple critical infrastructure and private sector organizations. Some of these cyber attackers attempted to obtain and transfer sensitive U.S. software and technology to China, the U.S. agencies said.
The security agencies identified that the Chinese state-sponsored cyber hackers have made an effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools. The cyber hackers consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, cyber hackers seek to exploit vulnerabilities in various applications, such as Pulse Secure, Apache, F5 Big-IP and Microsoft products.
The Chinese state-sponsored cyber hackers have been routinely observed using a VPS as an encrypted proxy, and use the VPS, in addition to small office and home office (SOHO) devices as operational nodes to evade detection.
General mitigations outlined include prompt patching, enhanced monitoring of network traffic, email, and endpoint systems, along with the use of protection capabilities, such as an antivirus and strong authentication, to stop malicious activity.
In May, the CISA updated its alert on the compromises identified in certain Ivanti Pulse Connect Secure products that directly affect U.S. government agencies, critical infrastructure entities, and other private sector organizations. The exploitation is said to have begun in June 2020 or earlier. Since March 31, 2021, CISA and Ivanti have assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor.