NSA, CISA, FBI Issue Advisory Saying Chinese State-Sponsored Malicious Activity Major Threat To US Cyberspace Assets

July 20, 2021

By a Biometrica staffer

In a cybersecurity advisory released on Monday, July 19, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) said Chinese state-sponsored cyber activity poses a major threat to U.S. and allied systems. 

These cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII), it adds. Target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions.

The Joint Cybersecurity Advisory (CSA) describes over 50 tactics, techniques, and procedures (TTPs) Chinese state-sponsored cyber-actors used when targeting U.S. and allied networks, and also details mitigations. It provides specific mitigations for in-depth tactics and techniques aligned with the recently released NSA-funded MITRE D3FEND framework. The information in this advisory builds on the NSA’s previous release: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities.

“To increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors’ Observed Procedures,” the advisory from Monday says. It also encourages organization leaders to review CISA’s insights for leaders for more information on this threat.

The advisory identifies the following trends in Chinese state-sponsored malicious cyber operations, through proactive and retrospective analysis:

  • Acquisition of Infrastructure and Capabilities — These cyber actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.
  • Exploitation of Public Vulnerabilities — They consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber-actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products.
  • Encrypted Multi-Hop Proxies — They have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.

It recommends federal and state government bodies, CI, DIB, and private industry organizations use these mitigation tactics:

  • Patch systems and equipment promptly and diligently — Focus on patching critical and high vulnerabilities, and consider implementing a patch management program that enables a timely and thorough patching cycle.
  • Enhance monitoring of network traffic, email, and endpoint systems — Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly.
  • Use protection capabilities to stop malicious activity — Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing.

FBI’s Cyber Division Assistant Director Bryan Vorndran released a statement after the CSA was issued saying the FBI and its partners were determined to disrupt the “increasingly sophisticated Chinese state-sponsored cyber activity that targets U.S. political, economic, military, education, and counterintelligence personnel and organizations.”

On Tuesday, July 20 China rejected accusations by Washington and its Western allies that Beijing is to blame for a hack of the Microsoft Exchange email system and complained, instead, that Chinese entities are victims of damaging U.S. cyberattacks. China is a leader in cyberwarfare research along with the United States and Russia, but Beijing denies accusations that Chinese hackers steal trade secrets and technology, the Associated Press reported on Tuesday.

On Monday, the FBI had published a statement saying four Chinese nationals working with the Ministry of State Security were charged with a global computer intrusion campaign targeting intellectual property and confidential business information, including infectious disease research. While rejecting the theory that China had anything to do with the Microsoft Exchange hack on Tuesday, a foreign ministry spokesperson from China demanded Washington drop charges against the four Chinese nationals.