US agencies warn of China-sponsored cyberattacks

U.S. security and intelligence agencies have issued an alert with information about how state-sponsored cyber actors in the People’s Republic of China continue to exploit publicly known vulnerabilities to compromise the infrastructures of telecommunications companies and network service providers. The statement released by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) National Security Agency lists vulnerabilities associated with network devices exploited since 2020.

According to the alert, Chinese government-sponsored agents exploit vulnerable network equipment such as routers and Network Attached Storage (NAS) devices to serve as access points to direct command and control (C2) traffic and act as intermediaries to conduct network intrusions. In general, these devices are often overlooked by cyberdefense schemes, which often struggle to keep up with routine patch installation for endpoint devices.

Since 2020, these actors have been running widespread campaigns to quickly exploit publicly identified security vulnerabilities, also known as Common Vulnerabilities and Exposures (CVEs). The technique used has allowed them to gain access to victims’ accounts using publicly available code employed against virtual private network (VPN) services or public-facing applications.

In addition, agencies warn that these actors are also evolving and adapting their tactics to circumvent current network defenses. It has been observed that malicious actors monitor the accounts and actions of network defense systems and modify ongoing campaigns as needed to remain undetectable. They often combine a customized set of publicly available tools to conceal their activities by blending in with normal network noise or tasks.

The vulnerabilities and exposures listed below are the CVEs used against network equipment most frequently exploited by China-sponsored cyber agents since 2020, according to US agencies.

These Chinese government-sponsored agents often use open source tools to recognize and scan for vulnerabilities. They use router-specific open source software, for example RouterSploit (for embedded devices) and RouterScan (for scanning IP addresses for vulnerabilities) to identify makes, models, and known vulnerabilities.

The US agencies urge government organizations and companies to follow the suggested recommendations to increase their postures and reduce the risk of intrusion into their critical networks.

Intellectual Property Theft

While campaigns that exploit vulnerabilities often gain media attention, there are attacks that go unnoticed that are usually more insidious and generate much greater financial damage. This alert came to light last May in the form of a Cybereason survey that revealed one such attack, said to be the work of the Chinese group APT Winnti.

Cybereason has informed the FBI and the US Department of Justice (DOJ) about the investigation dubbed Operation CuckooBees. For years, this campaign operated undetected, diverting

The Cybereason team has published two reports – one examining tactics and techniques employed in the campaign, and another with a more detailed analysis of the malware and exploit activities performed.

The discovery of this campaign was made during investigations of several intrusions targeting technology and manufacturing companies in North America, Europe, and Asia. The criminal actions have gone undetected since at least 2019. It is estimated that the group managed to steal hundreds of gigabytes in data, with the attackers targeting intellectual property that included confidential documents, blueprints, formulas, and proprietary data related to manufacturing. It also collected information that could be used in future cyberattacks, such as details about business units, network architecture, user accounts and credentials, employee emails, and customer data.

The Winnti APT group to which Cybereason researchers attribute Operation CuckooBees with a moderate to high degree of confidence, is also known as APT 41, BARIUM and Blackfly, and is sponsored by the Chinese government for its discretion, sophistication and focus on stealing technology secrets.

Cybereason comments that it is difficult to estimate the exact number of companies affected by Operation CuckooBees due to the complexity, discretion and sophistication of the attacks.