Mandiant details Chinese cyber espionage hackers evolve stealth tactics to avoid detection

Mandiant Intelligence disclosed that it is tracking several ways in which Chinese cyber espionage activity has increasingly leveraged initial access and post-compromise strategies intended to minimize opportunities for detection. Specifically, the latest analysis focuses on Chinese threat groups’ exploitation of zero-days in security, networking, and virtualization software, and targeting of routers and other methods to relay and disguise attacker traffic both outside and inside victim networks with organizations.

“We assess with high confidence that Chinese cyber espionage groups are using these techniques to avoid detection and complicate attribution,” Mandiant researchers wrote in a Tuesday blog post. “Mandiant Intelligence assesses with high confidence that Chinese cyber espionage zero-day exploitation in 2021 and 2022 has focused on security, networking, and virtualization technologies because targeting these devices affords several tactical advantages in obtaining and retaining surreptitious access to victim networks.” 

Mandiant also identified that more frequently in the last three years, it has identified examples of Chinese cyber espionage operations using botnets of compromised internet of things (IoT) devices, smart devices, and routers to disguise external traffic between C2 infrastructure and victim environments, as well as numerous malware families that include functionalities to covertly relay attacker traffic within compromised networks. “We judge that the operators are using these tactics to evade detection and to complicate attribution,” the post added.

The Mandiant post outlined two recent campaigns exemplifying notable strategies Chinese threat actors have used to maximize stealth including, but not limited to, zero-day exploitation. 

In 2022, Mandiant investigated incidents in which suspected Chinese cyber espionage actor, UNC3886, used multiple attack paths and two zero-day vulnerabilities to establish persistence at targeted organizations and ultimately gain access to virtualized environments. UNC3886 has primarily targeted defense industrial base (DIB), technology, and telecommunication organizations in the U.S. and Asia.

“UNC3886 took extraordinary measures to remain undetected in victim environments. The attackers limited their presence on networks to Fortinet security devices and VMware virtualization technologies, devices and platforms that traditionally lack EDR solutions,” the post disclosed. “The group’s custom malware and exploits prioritized circumventing logs and security controls, for example, using non-traditional protocols (VMCI sockets) that are not logged by default and have no security restrictions to interact between hypervisors and guest virtual machines (VMs). UNC3886 also cleared and modified logs and disabled file system verification on startup to avoid getting detected.” 

The researchers added that the hacker used malware families designed to interact with Fortinet devices, including THINCRUST, CASTLETAP, TABLEFLIP, and REPTILE. “UNC3886 took advantage of path traversal vulnerability CVE-2022-41328 to overwrite legitimate files in a normally restricted system directory,” they added.

“With access to targeted organizations’ Fortinet devices, the threat actor interacted with VMware vCenter servers and leveraged malicious vSphere Installation Bundles (VIBs) to install customized backdoors VIRTUALPITA and VIRTUALPIE on ESXi hypervisors,” the post said. “UNC3886 exploited an authentication bypass vulnerability CVE-2023-20867 on ESXi hosts to enable the execution of privileged commands on guest VMs with no additional logs generated on guest VMs.”

The Mandiant researchers said that beginning in at least October 2022, suspected Chinese cyber espionage actor UNC4841 exploited a zero-day vulnerability, CVE-2023-2868, in Barracuda Email Security Gateway (ESG) appliances in a campaign targeting public and private organizations worldwide. “In several cases we observed evidence of the actor searching for email data of interest before staging it for exfiltration. The actor showed specific interest in information of political or strategic interest to China. This included the global targeting of governments and organizations associated with verticals of high priority to China.” 

Further, they added that in the set of entities selected for focused data exfiltration, shell scripts were uncovered that targeted email domains and users from Ministries of Foreign Affairs (MFAs) of ASEAN member nations as well as individuals within foreign trade offices and academic research organizations in Taiwan and Hong Kong.

“UNC4841 sought to disguise elements of its activity in a number of ways. In addition to continuing the pattern of targeting a security appliance, UNC4841 sent emails with specially crafted TAR file attachments that exploited CVE-2023-2868 and allowed the attackers to execute arbitrary system commands with the elevated privileges of the ESG product,” the post added. “We assess that the subject line and body of the emails UNC4841 sent as part of this campaign were likely crafted to be caught in spam filters and discourage further investigation.” 

Mandiant has observed advanced groups exploiting zero-days use this tactic in the past. UNC4841 also developed custom malware utilizing naming conventions consistent with legitimate ESG files (including SALTWATER, SEASIDE, SEASPY), as well as inserted custom backdoor code into legitimate Barracuda modules, including SEASPRAY and SKIPJACK. In some cases, UNC4841 used legitimate self-signed SSL temporary certificates that are shipped on ESG appliances for setup purposes as well as certificates stolen from victim environments to masquerade the command and control (C2) traffic.

More recently, Microsoft discovered stealthy and targeted malicious activity targeted at U.S. critical infrastructure organizations, largely focused on post-compromise credential access and network system discovery. Using ‘living-off-the-land’ techniques and hands-on-keyboard activity, the attack is carried out by Volt Typhoon, a state-sponsored hacker group based in China that typically focuses on espionage and information gathering. These attacks have targeted critical infrastructure sectors including communications, manufacturing, utility, transportation, maritime, and government.

The Mandiant researchers concluded that use of botnets, proxying traffic in a compromised network, and targeting edge devices are not new tactics, nor are they unique to Chinese cyber espionage actors. “However, during the last decade, we have tracked Chinese cyber espionage actors’ use of these and other tactics as part of a broader evolution toward more purposeful, stealthy, and effective operations,” they added. 

They also suggest that the military and intelligence restructure, evidence of shared development and logistics infrastructure, and legal and institutional structures directing vulnerability research through government authorities point to long term investments in equipping Chinese cyber operators with more sophisticated tactics, tools, and exploits to achieve higher success rates in gaining and maintaining access to high value networks.

In March, Mandiant provided a comprehensive analysis of recent activity by hacktivists targeting OT (operational technology) systems, leveraging information from previously undisclosed and known incidents to discuss the potential implications for OT defenders. Awareness about emerging hacktivism trends helps OT defenders to prioritize countermeasures and differentiate state-sponsored fronts leveraging the hacktivism cloak.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.