DoD Advisory Detailing Chinese Cyber Threat Activity
Please see attached advisory issued by NSA, CISA, and the FBI. The People's Republic of China has been assessed as deploying state-sponsored malicious cyber activity -- a major threat to U.S. and Allied cyberspace assets.
Increasingly sophisticated Chinese-state sponsored cyber activity has been targeting U.S. political, economic, military, and educational organizations. The following trends have been observed:
- Acquisition of Infrastructure and Capabilities: Chinese state-sponsored cyber actors are highly aware of the information security community's best practices. Actors mask their activities by leveraging a series of virtual private servers (VPSs) or common commercial penetration tools.
- Exploitation of Public Vulnerabilities: Chinese state-sponsored cyber actors scan target networks for critical and high vulnerabilities within days of a vulnerability's public disclosure.
- Encrypted Multi-Hop Proxies: Chinese state-sponsored cyber actors have been observed to use a combination of a VPS and small/home office devices to evade detection.
To mitigate these attacks companies are urged to consider:
- Strong and Timely Patch Management: Organizations should patch critical and high vulnerabilities that allow for remote code execution or denial-of-service, especially on externally facing equipment.
- Enhanced Monitoring of Network Traffic, Email and Endpoint Systems: Organizations should review network signatures and indicators for focused activities, monitor for new phishing trends, and adjust email rules in a timely manner.
- Protection Capabilities to Stop Malicious Activity: Organizations should implement anti-virus software and other endpoint protection capabilities to detect and prevent malicious files from executing.
Detailed information about these threats and mitigation steps are outlined in the attached document. Additionally, DoD's Industrial Policy Office has developed Project Spectrum https://projectspectrum.io/#!/ , DoD-sponsored initiative that provides companies, institutions, and organizations with a comprehensive, cost-effective platform of cybersecurity information, resources, tools, and training. Kindly assist us with referring this resource to defense industrial base companies looking to improve cybersecurity readiness and resiliency.
Deputy Assistant Secretary of Defense for Industrial Policy
MESSAGE FROM THE DEPARTMENT OF HOMELAND SECURITY
From: CommunicationsSector <CommunicationsSector@cisa.dhs.gov < Caution-mailto:CommunicationsSector@cisa.dhs.gov > >
Sent: Monday, July 19, 2021 1:17 PM
Subject: [Non-DoD Source] U.S. Government Releases Indictment and Several Advisories Detailing Chinese Cyber Threat Activity
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
INTENDED FOR WIDEST DISTRIBUTION
Critical Infrastructure Partners,
As today's announcement https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/ from the White House indicates, the cyber threat from the People's Republic of China (PRC) continues to evolve and poses a real risk to the nation's critical infrastructure, as well as businesses and organizations of all sizes at home and around the world. The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with National Security Agency (NSA) and Federal Bureau of Investigation (FBI), published new advisories to help organizations assess and harden their networks against malicious Chinese state-sponsored cyber actors.
First, CISA, NSA, and FBI published a Joint Cybersecurity Advisory https://us-cert.cisa.gov/ncas/alerts/aa21-200b (CSA) to detail various Chinese state- sponsored cyber techniques used to target U.S. and Allied networks. This advisory, "Chinese State-Sponsored Cyber Operations: Observed TTPs", is a deep dive into the techniques used when targeting U.S. and Allied networks.
Second, CISA and FBI published a Joint Cybersecurity Advisory https://us-cert.cisa.gov/ncas/alerts/aa21-200a on a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. This advisory provides APT40's tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds. This accompanies action by the U.S. Department of Justice (DOJ) today with unsealing indictments https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion against four APT40 cyber actors for their illicit computer network exploitation (CNE) activities via front company Hainan Xiandun Technology Development Company (Hainan Xiandun).
Third, "CISA Insights: Chinese Cyber Threat Overview for Leaders https://www.cisa.gov/publication/chinese-cyber-threat-overview-leaders " is a joint analysis from CISA, FBI, and NSA that provides recommendations to organizational public and private sector leadership to reduce the risk of cyber espionage and data theft from Chinese state-sponsored cyber actors. Chinese state-sponsored cyber actors aggressively target U.S. and Allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, emerging and key technology, intellectual property, and personally identifiable information (PII).
CISA also encourages users and administrators to review the blog post,Safeguarding Critical Infrastructure https://www.cisa.gov/blog/2021/07/19/safeguarding-critical-infrastructure-against-threats-peoples-republic-china against Threats from the People's Republic of China, https://www.cisa.gov/blog/2021/07/19/safeguarding-critical-infrastructure-against-threats-peoples-republic-china by CISA Executive Assistant Director Eric Goldstein and the China Cyber Threat Overview and Advisories webpage. http://www.us-cert.cisa.gov/china
CISA continues to work with our partners – both at home and abroad – to assess and identify malicious cyber activity by state-sponsored or criminals and provide the actionable information to our partners so they can protect their organization.
We encourage you to share this information widely.
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security