Chinese state-sponsored hackers

(Source – Shutterstock)

Chinese state-sponsored cyber threats are becoming a global menace

Chinese state-sponsored cyber threats continue to wreak havoc on governments around the world. While Russia, North Korea and Iranian state-sponsored cybercriminals remain a major concern, it seems that the threat posed by Chinese state-sponsored cybercriminals is of greater concern globally.

In fact, the United States and international cybersecurity authorities have issued a joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China state-sponsored cyber actor, also known as Volt Typhoon.

The CSA stated that private sector partners have identified how this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

This advisory from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) provides an overview of hunting guidance and associated best practices to detect this activity.

According to a report by Reuters, Microsoft stated that a state-sponsored Chinese hacking group has been spying on a wide range of U.S. critical infrastructure organizations, from telecommunications to transportation hubs. Microsoft’s report also stated that the espionage has also targeted the US island territory of Guam, home to strategically important American military bases.

Meanwhile, SecureWorks Counter Threat Unit researchers have attributed this activity to BRONZE SILHOUETTE and have observed the threat group conducting network intrusion operations against US government and defence organizations since 2021.

“From our first-hand observations of BRONZE SILHOUETTE, we determine the group to have a consistent focus on operational security including a minimal intrusion footprint, defence evasion techniques, and use of compromised infrastructure. Think of a spy going undercover, their goal is to blend in and go unnoticed. This is exactly what BRONZE SILHOUETTE does by mimicking the usual network activity. This suggests a level of operational maturity and adherence to a modus operandi that is engineered to reduce the likelihood of the detection and attribution of the group’s intrusion activity,” said Marc Burnard, Senor Consultant Information Security Research and China thematic lead at Secureworks.

Burnard also stated that the incorporation of operational security, particularly when targeting Western organizations, is consistent with the network compromises that CTU researchers have attributed to Chinese threat groups in recent years.

“These tradecraft developments have likely been driven by a series of high-profile U.S Department of Justice indictments of Chinese nationals allegedly involved in cyber espionage activity, public exposures of this type of activity by security vendors, which has likely resulted in increased pressure from leadership within the People’s Republic of China to avoid public scrutiny of its cyber espionage activity. China is known to be highly skilled in cyber espionage and BRONZE SILHOUETTE spotlights its relentless focus on adaption to pursue their end goal of acquiring sensitive information,” added Burnard.

At the same time, Sean Duca, Vice President and Regional Chief Security Officer, Asia Pacific & Japan, Palo Alto Networks shared his views on what the alerts mean for organisations and how they can effectively face ever-evolving cyber attacks.

“Corporations, governments, and critical infrastructure providers must revise their cybersecurity strategies to address increasingly sophisticated threats, integrating host- and network-based defences. Ultimately security must work together to protect an organisation better. Relying on endpoint monitoring may allow attackers to evade detection. Network-based defences scrutinise traffic patterns and unexpected communications. The most effective strategies employ both in tandem, using insights from one system to enhance the other.”

State-sponsored cybercrime will only continue to be a menace and a global concern. While governments are taking the necessary steps to deal with this problem, enterprises also need to be well-prepared to deal with these cybercriminals.