Amid the brewing geopolitical tensions in the U.S. and with the Presidential election being just around the corner, CISA has issued an alert for all operatives of critical infrastructure to look out for possible cyberattacks in the upcoming months. In a broader light of keeping the organizations and businesses safe from this foul play of certain state actors involved, CISA has provided information on specific tactics, techniques, and procedures (TTPs) employed by them.
The Chinese Threat
To the world, China has been on the defensive ever since the U.S. claimed that China was running a cyber espionage campaign against it through Huawei’s 5G contract. However, through many other incidents like the “Taidoor malware attack” and the “Zhenhua data leak,” China’s offensive tactics are being identified and portrayed globally.
CISA notes that “Made in China 2025,” is a 10-year plan outlining China’s top-level policy priority. In pursuit of these national interests, China can target critical infrastructures in the national and economic sectors of the U.S. These critical infrastructure sectors include new energy vehicles, next-generation information technology (IT), biotechnology, new materials, aerospace, maritime engineering, and high-tech ships; railway, robotics, power equipment, and agricultural machinery.
Additionally, there are several Department of Justice (DOJ) indictments over the past few years that provide enough evidence suggesting how Chinese threat actors are continuously targeting the U.S. to exfiltrate its intellectual property (IP) from both public and private domains. Their targets also include western companies with operations inside China.
Commonly Known TTPs of Chinese Threat Actors
The following table denotes the Pre-Att&ck TTPs that are commonly used by Chinese threat actors before launching an attack:
|Acquire and/or Use 3rd Party Software Services [T1330]
|Staging and launching attacks from software as a service solution (SaaS) that cannot be easily tied back to the APT.
|Compromise 3rd Party Infrastructure to Support Delivery [T1334]
|Compromising infrastructure owned by other parties to facilitate attacks (instead of directly purchasing infrastructure).
|Domain Registration Hijacking [T1326]
|Changing the registration of a domain name without the permission of its original registrant and then using the legitimate domain as a launch point for malicious purposes.
|Acquire Open-Source Intelligence (OSINT) Data Sets and Information [T1247]
|Gathering data and information from publicly available sources, including public-facing websites of the target organization.
|Conduct Active Scanning [T1254]
|Gathering information on target systems by scanning the systems for vulnerabilities. Adversaries are likely using tools such as Shodan to identify vulnerable devices connected to the internet.
|Analyze Architecture and Configuration Posture [T1288]
|Analyzing technical scan results to identify architectural flaws, misconfigurations, or improper security controls in victim networks.
As per CISA, these TTPs and associated IOCs are difficult to detect and hence need to be carefully monitored. Many state-sponsored APT groups like APT3, APT10, APT19, APT40 and APT41 are said to be actively employing these pre-attack techniques.
In the Enterprise Att&ck TTPs, Chinese threat actors are seen using commonly available security testing tools and frameworks such as:
- Cobalt Strike and Beacon
- PowerShell Empire
- China Chopper Web Shell and more.
On studying the TTPs and IOCs at large, CISA suggested a few mitigation steps that are noted below:
- Adopt heightened security awareness and vigilance.
- Establish and keep indent response plans ready.
- Concentrate on patch and configuration management. Keep all systems and networks updated.
- Exercise access control. Disable unwanted access, ports, protocols, and services. Minimize the operational landscape.
- Install network and email traffic monitoring solutions to restrict malicious break-in from these nodes.
Marty Edwards, VP of OT Security, Director of ICS-CERT and Co-Chair of the Control Systems Interagency Working Group, said, “Today’s CISA alert about possible state-sponsored attacks against the country’s most sensitive and valuable critical infrastructure is what the cybersecurity community has been warning about for some time. For years, we have seen steady momentum of new, targeted attacks against the US that seek to compromise the systems we rely on to function as a modern society. With Covid-19, our reliance on critical infrastructure – from railways to energy to agriculture to pharmaceuticals — has gone into hyperdrive. This dependence is extremely lucrative to cybercriminals looking to wreak havoc.”