Chinese state-backed threat actors are using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. government agencies, the Department of Homeland Security’s cyber wing said in a recent bulletin.
The targets? Unsurprisingly, federal agency networks and critical industries in a worldwide, 10-year campaign across high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals and defense. The hackers are interested not only in stealing for the Chinese Ministry of State Security (MSS), officials at the Cybersecurity Infrastructure and Security Agency (CISA) and the Federal Bureau of Investigation (FBI) said in the jointly produced document, but also for personal gain.
CISA issued the warning a few days ahead of indictments served by the Justice Department on September 16 charging five Chinese nationals tied to the Chinese government with hacking into more than 100 companies in the U.S., spanning video game makers, telecommunications, social media, computer hardware manufacturers, foreign governments, academia, think tanks, and pro-democracy activists in Hong Kong. The hackers are said to be part of a crew known as APT41, officials said.
As for open source-filled exploitation toolkits, they're not confined solely to cyber crews sponsored by the MSS. Other foreign gangs with various levels of sophistication and know-how are also “routinely using open source information” to plan and execute cyber campaigns, the advisory said. Mounting a stout defense against cyber threat actors using readily available exploits to hit their targets amounts to following a “rigorous patching cycle,” officials said. Doing so continues to be the best defense against the most frequently used attacks. Failing to do so enables hackers to carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network. There’s a substantial difference in consequences between the two approaches, the agencies said.
“The continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks,” the document reads. “In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits,” the agencies said.
To dig deeper into the inner-workings of Chinese MSS-affiliated bad actors, CISA has leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) and Pre-ATT&CK frameworks to characterize the cyber gangs' TTPs, referencing a cyber defense strategy used by many organizations that banks on threat intelligence, engagement and collaboration to reduce the likelihood of successful future attacks.
In the last 12 months, CISA said it has identified some of the more common and effective TTPs employed by cyber threat actors, including:
- Selecting targets based on security posture, using information sources such as the IoT search engine Shodan, the Common Vulnerabilities and Exposure database and the National Vulnerabilities Database.
- Exploiting known vulnerabilities faster than organizations can fix them.
- Using command and control infrastructure as part of their cyber operations.
- Deploying the penetration testing tool Cobalt Strike to target commercial and federal government networks.
- Launching spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromising legitimate sites to enable cyber operations.
- Using China Chopper to upload files and brute-force passwords in web application attacks.
- Leveraging the Mimikatz open-source tool to capture account credentials and perform privilege escalation.
As for prevention and mitigation strategies, CISA and the FBI recommend that organizations “routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems.”
The CISA/FBI bulletin follows Microsoft’s outing last week of three prolific hacking crews from China, Iran and Russia for allegedly executing hundreds of cyber assaults on organizations and staffers associated with the election campaigns of President Trump and candidate Joe Biden. One of those crews, Zirconium, also known as APT31, operates from China. While Russia has been prominently identified as the guilty party in attempts to infiltrate U.S. elections, senior intelligence officials and security defenders have consistently warned that other countries are also meddling in the voting system.