China cyber attacks: the current threat landscape

Editor's note: This post, originally by Adam Hlavek on Jan. 10, 2021, includes updates from March 1 and April 6, 2021. 

The latest China cyber attacks:

Over the past two decades, the People’s Republic of China (PRC) has capitalized on the global connectivity of the internet age in ways no other nation has. Once regarded as a “second-tier” cyber power, China has aggressively and consistently built its national cyber program to the point where it is now considered one of the world’s preeminent cyber players. A recent study ranked China as a “Most Comprehensive Cyber Power,” second only to the United States. The ruling Chinese Communist Party (CCP) used a multi-pronged strategy to achieve this remarkable ascent, prioritizing computer science and technology education within China and creating a pipeline of talent for cyber military operations. 

HAFNIUM attacks on Microsoft Exchange servers

Dominating the headlines of Chinese cyber attacks is the on-premise Microsoft Exchange server attack, presumed to be carried out by the Chinese APT HAFNIUM. This group has been identified as exploiting Exchange servers through a collection of several zero-day vulnerabilities. The supposed motive behind this attack aligns with the typical strategy of Chinese cyber attacks: intellectual property theft. The four vulnerabilities affect unpatched on-premise Microsoft Exchange servers - versions 2013 to 2019, excluding only Exchange Online (Office365). You can read detailed IronNet analysis and response in our blog "HAFNIUM Targets Microsoft Exchange Zero-Day Vulnerabilities."

Linux attacks / RedXOR

In most recent news, a new sophisticated backdoor targeting Linux endpoints and servers was discovered by security researchers at Intezer in early March, and TTPs indicate it is the work of high-profile Chinese threat actors. Dubbed RedXOR, the backdoor masquerades as a polkit daemon (which is a toolkit used for allowing unprivileged processes to communicate with privileged processes), and it is very similar to malware associated with the Winnti Umbrella — a term used to describe a collective of state-backed hacking groups linked to Chinese government interests. The operation is still believed to be ongoing as researchers experienced an “on and off” availability of the C2 server, indicating that the operation is still active. The malware samples were first uploaded from Indonesia and Taiwan— two countries known to be heavily targeted by Chinese APTs. The samples were compiled with a legacy GCC compiler on an old version of Red Hat Enterprise Linux, indicating that RedXOR is used in targeted attacks against legacy Linux systems. It is packaged with the usual suite of tools, including the ability to gather system information, perform file operations, run arbitrary shell commands, and even options to remotely update the malware.

Of note: Victim types and motivations have not been indicated in reports, but the groups that fall under the Winnti Umbrella share an arsenal of malicious tools used in cyber espionage and financially motivated attacks and it has been stated that there has been a large increase in unique Linux malware tools tailored for espionage operations.


Additional China cyber attack threat campaigns

To summarize the threat at a more tactical level, the following sections highlight several of the most recent and notable Chinese state-sponsored campaigns uncovered by cybersecurity researchers. Each section identifies a sample of the countries and sectors targeted by a given group, and the behaviors or tactics, techniques, and procedures (TTPs) utilized to succeed in their objectives. Footnotes provide links to further, more detailed, reading. 

APT31

Overview:

APT31 is a Chinese state-sponsored cyber espionage group focused primarily on acquiring information that can provide political, economic, and military advantages to the Chinese government and state-owned enterprises. Active since at least 2013, APT31 conducts mainly intellectual property theft and espionage operations using a range of tools and techniques to infect target systems, steal credentials, and move laterally within a compromised network. APT31 targets numerous organizations in various sectors, often seeking intellectual property, information that provides a commercial advantage, or sensitive details about government and defense targets of interest. 

Recent Activity:

In February 2021, it was reported that APT31 cloned and used a Windows-hacking tool, code-named EpMe, that was originally created by the Equation Group — an APT with links to various branches of the NSA. Essentially, APT31 extracted the core functionality of the tool and created its own replication, known as “Jian” or “double-edged sword,” around the exploits included in EpMe. What is concerning (and remarkable) about this reconstructed EpMe tool is that evidence points to the exploit first being used in 2014 — almost three years before it became publicly available with the Shadow Brokers dump and was patched by Microsoft. 

Jian was first discovered on a U.S.-based network by security researchers at Lockheed Martin, indicating that the tool has largely been used against U.S. targets. Evidence points to the notion that APT31 managed to access both the 32-bit and 64-bit samples of the EpMe Equation Group exploit and replicate them to construct Jian, then using the new version of the exploit alongside their unique multi-staged packer. However, Jian is much less sophisticated than EpMe and it contains many quirks — like support for Windows 2000 even though Windows 2000 was never vulnerable to exploit — indicating that they did not really understand the true nature of the exploited vulnerability and its associated limitations.

The Finnish government officially accused APT31 of hacking into the Finnish parliament in 2020, describing the attack as “aggravated espionage” and “message interception” in order to further Chinese interests. The attack, which led to the compromise of some parliament email accounts, is currently being investigated by the Finnish National Bureau of Investigation (NBI). The threat group has also been accused of targeting the Joe Biden presidential campaign with malicious spearphishing emails that impersonated anti-virus software company McAfee and used legitimate services, like DropBox, in an attempt to steal staffers’ credentials and infect them with malware.

Known Targets

Numerous sectors, including legal and consulting, telecommunications, software development, construction and engineering, and aerospace and defense as well as governmental entities in the U.S. and northern European countries, and government and defense supply chain networks

Sample TTPs

  • Sophisticated targeted spearphishing
  • Attacker-controlled URL web beacons sent via email text or attachment
  • Impersonation of legitimate software, such as McAfee anti-virus software and Oracle, to load malicious code 
  • Leveraging of popular code and file-sharing sites, specifically Github and Dropbox, for their C2 domains to complicate network-based detection
  • Use of China Chopper webshell for initial compromise and persistence, uploaded to a target web server via a SQL injection or WebDAV vulnerability
  • DLL search-order hijacking to run a malicious downloader tool (i.e. HanaLoader) that retrieves and runs payloads over HTTPS

AKA

Zirconium, Judgment Panda, Hurricane Panda, BRONZE VINEWOOD, Red Bravo, 


BlackTech

Overview:

BlackTech is a threat group known primarily for conducting cyber espionage operations against targets in East Asia, with a focus on Taiwan and Japan. The group has likely been active for a number of years and is responsible for several separate campaigns leveraging overlapping infrastructure. BlackTech often abuses legitimate software tools and processes to achieve its goals, using  stolen digital certificates and API hooking among other techniques.

Recent Activity: 

Recent reporting confirms that BlackTech remains active and has continued to develop new custom malware. Researchers at Symantec, who track this group as Palmerworm, noted BlackTech activity throughout 2019 and 2020 with the group leveraging new strains of malware to target multiple sectors in Taiwan, Japan, and China. 

To date, no private sector cybersecurity companies have publicly attributed activity to BlackTech. However, in August of 2020, the Taiwanese government asserted that the group was working on behalf of the Chinese Communist Party and had been involved in cyber operations targeting multiple Taiwanese government and commercial entities.

Known Targets

Technology, engineering, finance, and government sectors in Taiwan, Japan, Hong Kong, and the U.S., with a focus on East Asia.

Sample TTPs

  • Various custom backdoors, including the well-documented PLEAD (also tracked as TSCookie)
  • Deployment of PLEAD using compromised legitimate software, potentially via compromised routers and man-in-the-middle attacks 
  • Use of legitimate system tools (Putty, PSExec, etc.) for malicious purposes (i.e., “living-off-the-land” tactics)
  • Use of the DLL-hijacking Waterbear modular malware

AKA

Palmerworm, CIRCUIT PANDA

 

APT 41 / Winnti

Overview:

APT41 represents one of the most prolific Chinese state-sponsored threats. Incarnations of APT41 began to appear in the early 2010s, and the group is believed to have been behind intrusions into a wide variety of sectors, including the healthcare, pharmaceutical, telecommunications, and video game industries, with victims on nearly every continent. Over the years, the group has leveraged a variety of custom malware, including a Trojan that came to be known as Winnti

The group is probably best known for a series of software supply chain attacks where the threat actors obtain access to software provider systems and inject malicious code into the victim’s legitimate software, often managing to distribute the poisoned software through the victim’s established channels. Such attacks are especially challenging to detect and mitigate from a consumer perspective, as end users and system administrators invariably trust software that has been downloaded directly from the publisher. Notably, some of the individuals comprising APT41 appear to have engaged in not just state-sponsored espionage, but have also dabbled in operations designed to reap personal financial gain.

There is notable overlap and a significant lack of clarity within the commercial cybersecurity community on precisely which groups are behind the many intrusions that have been lumped together under the Winnti umbrella. Some notable software supply chain attacks that have been potentially linked to the group by various cybersecurity researchers include the  CCleaner, NetSarang, and Asus Live Update compromises. Given the history of software tool sharing amongst Chinese threat actors and the likelihood that multiple state-sponsored actors are targeting similar sets of victims, it becomes quite difficult to parse exactly which group may be behind a given intrusion, especially given the limited visibility that any one victim or vendor may have. In any case, the overarching tactics and targets described above can safely be ascribed to PRC cyber operators, regardless of how specifically each discrete intrusion can be attributed.

Recent Activity: 

Another large-scale APT41 campaign occurred in early 2020, once again affecting a wide variety of industries in multiple global regions. The operators appeared to be systemically leveraging a number of recently identified high severity vulnerabilities, specifically in Cisco routers, Citrix infrastructure devices, and Zoho ManageEngine Desktop Central, an endpoint management software tool. Notably, the Citrix and Zoho vulnerabilities were also highlighted in a recent NSA advisory detailing public technical vulnerabilities known to have been actively exploited by Chinese state-sponsored actors.

The U.S. Department of Justice (DOJ) also shone a light on APT41 in September of 2020, unsealing three indictments that brought charges against five Chinese nationals and two Malaysians for a sweeping series of network intrusions. The DOJ linked the activity to a Chinese company known as Chengdu 404 Network Technology, which likely operates at the behest of the Chinese Ministry of State Security. The indictments stated that the hackers were responsible for intrusions across over 100 victim organizations in numerous countries. One of the indictments charged the two Malaysian individuals with profiting from information stolen from video game companies that was provided to them by Chinese actors. Both men were apprehended by Malaysian authorities. The operators apparently also participated in ransomware and crypto-jacking attacks, which highlight the type of for-profit criminal endeavors the group has undertaken apart from their more traditional information gathering operations.

Known Targets

Numerous sectors, including healthcare, media, and video games with multiple countries targeted, including the U.S., Japan, South Korea, India, Australia, and the U.K.

Sample TTPs

  • Software supply chain attacks which modified legitimate software to facilitate intrusions against the software’s customers 
  • Use of stolen digital certificates to sign malware
  • Command and control (C2) dead drops leveraging seemingly legitimate web pages to surreptitiously pass encoded instructions to deployed malware
  • Exploitation of remote access or internet facing services to gain initial access to victim networks

AKA

Barium, Winnti, Wicked Panda, Wicked Spider

 

APT40

Overview:

Likely active since at least 2013, APT40 is a Chinese threat group with a predominant focus on nations and issues related to the South China Sea, a region the PRC has claimed territorial sovereignty over despite numerous disputes. The group has repeatedly targeted shipbuilding, maritime, and engineering entities, as well as government and academic institutions within multiple countries bordering the South China Sea. The group has leveraged a variety of malicious software, including publicly available tools such as Cobalt Strike and custom tools, some of which overlap with other known Chinese groups. Analysis of data obtained from APT40 infrastructure showed malware administrators accessing the group’s servers from Hainan, China, which strongly suggests Chinese state sponsorship when coupled with the group’s targeting patterns. 

Recent Activity: 

Recent analysis released by Microsoft indicates that APT40 threat actors have on multiple occasions attempted to use cloud-native services within Azure to conduct malicious C2. Although the activity was identified and disrupted, the threat actors appear to have specifically designed malware to abuse proprietary cloud services including the Outlook Task API, OneDrive API, and Microsoft Graph API.

APT40 was also among the Chinese groups Taiwan publicly accused of targeting multiple Taiwanese government agencies, alongside BlackTech, Mustang Panda, and other groups. This coincides with particularly aggressive Chinese cyber targeting of Taiwan’s technology sector witnessed over the past couple years. Early 2020 also saw the Malaysian Computer Emergency Response Team (CERT) issue an advisory linking APT40 to an espionage campaign targeting Malaysian government officials. 

Known Targets

U.S., Western Europe, Cambodia, Malaysia, and Taiwan with a focus on engineering, healthcare, government, maritime, and academic sectors

Sample TTPs

  • Highly targeted spearphishing
  • Frequent use of web shells (such as China Chopper) and common web protocols for C2
  • Use of legitimate remote services such as SSH and RDP to conduct reconnaissance and move laterally within victim networks
  • Attempts to abuse proprietary Microsoft Azure cloud services

AKA

GADOLINIUM, Leviathan, TEMP.Periscope

 

Mustang Panda

Overview:

Mustang Panda is a Chinese state-sponsored threat group with a history of targeting various NGOs (non-governmental organizations), minority groups, and political entities within the Southeast Asian region. The group has also been noted targeting Western think tanks and NGOs with a nexus to Chinese minority groups. The group has likely been active since at least 2017. 

Mustang Panda frequently relies on phishing lures centered around themes directly relevant to their targeted victims. These lures use official-looking documents written in the target’s native language and containing information that would prompt the victim to open the attached document. These decoy documents frequently contain a .zip archive that executes a malicious loader when opened. This leads to the installation of the venerable PlugX malware or a Cobalt Strike Beacon.

Recent Activity: 

In the summer of 2020, Recorded Future reported newly identified activity related to Mustang Panda, which they track as RedDelta. Notably, the group targeted a number of organizations related to the Catholic Church. The researchers surmised that this activity was likely connected to the renewal of an agreement between the Vatican and the CCP and was likely designed to provide insights into the upcoming negotiations (a tactic often used by the Chinese government in political or business contexts). 

Despite the campaign being identified in this way, it appears the threat actors resumed activity within days of the RedDelta report’s publication. Additional research shows the group has remained active into Fall 2020 and has updated the malware loader they use to install their favored PlugX Remote Access Trojan (RAT).

Known Targets

Government entities, NGOs, and religious organizations in Mongolia, Hong Kong, Vietnam, Burma, India, and Pakistan; NGOs and think tanks abroad with a nexus to Southeast Asia and Chinese minority groups

Sample TTPs

  • Use of multiple versions of the PlugX and Poison Ivy malware shared amongst Chinese threat actors
  • Infection chains delivering .zip files containing Windows Shortcut (.lnk) files, which in turn execute malicious code leading to the installation of PlugX or Cobalt Strike
  • The use of DLL side-loading tactics to install malicious software

AKA

RedDelta, TA416, BRONZE PRESIDENT

 

TA410

Overview:

In July 2019, several U.S. utility companies were targeted with a well-designed spearphishing campaign that impersonated a legitimate engineering licensing board to deliver the LookBack malware. This campaign was attributed to a group tracked as TA410, who proceeded to conduct a follow-on campaign once again targeting U.S. electric utilities in August of that year. Later media reports indicated that several smaller, regional public power utilities were among those targeted and that some were apparently unaware they had been targeted at all until they were informed by the FBI. 

Recent Activity: 

Additional analysis later linked the LookBack phishing campaigns to another malware family dubbed FlowCloud. These two campaigns share a number of tactics, including the timeframes they were active, the use of malicious attachments contained in phishing emails, the installation techniques used, and overlapping infrastructure. Like LookBack, the FlowCloud campaign appears to have targeted victims in the utilities sector using well-crafted phishing emails impersonating professional organizations within the industry such as the American Society of Civil Engineers. 

Notably, the researchers investigating TA410 identified similarities to the tactics used by TA429 (also known as APT10: see below). However, it is not fully clear whether the two groups’ activity is truly related or whether this may have been a deliberate attempt by those responsible to plant "false flags" to help hide those behind the campaigns. The attempt to hide the campaign actors makes sense especially given the widespread media attention focused on APT10 due to the publication of multiple reports on the group and a related U.S. indictment of Chinese actors.

Known Targets

U.S. electric utilities

Sample TTPs

  • Sophisticated spearphishing
  • Use of Microsoft Office documents with embedded malicious VBA macros
  • Reconnaissance scanning against targets (specifically SMB)

AKA

None known

 

APT10

Overview:

APT10 is a prolific and long-standing Chinese state-sponsored threat actor that has been active since at least 2006. The group’s focus appears to be access enablement, providing inroads to support commercial and economic espionage against regional and international competitors including Japan, the United Kingdom, and the United States. Like so many threat groups, APT10 has historically used spearphishing tactics to gain initial footholds on victim networks. The operators then rely upon a combination of custom and publicly available hacking tools to move laterally throughout victim networks and establish persistence.

In 2017, details surrounding an APT10 campaign known as Operation Cloud Hopper came to light. The campaign focused on compromising IT managed service providers (MSPs), which are businesses that remotely manage IT infrastructure on behalf of their clients. Compromising these MSPs provided APT10 actors with access to the service providers as well as their customers. The MSPs’ connections to their customer environments were at times used by APT10 to exfiltrate data from within customer environments. 2018 indictments by the U.S. Department of Justice revealed that those behind these campaigns worked for a company operating at the behest of the Ministry of State Security’s Tianjin State Security Bureau. Later media reporting revealed just how widespread and successful this strategy had been, as several major MSPs appear to have been victimized by the group over the span of several years. 

Additional reporting in 2019 asserted that APT10 actors had penetrated at least ten telecommunications or cellular provider companies across the globe in a campaign dubbed Operation Soft Cell. During this campaign, APT10 operators appeared to have been targeting Call Detail Records, which contain metadata regarding individual mobile subscribers including information such as device identifiers, locations, and call history. Such information would be considered highly useful to a foreign intelligence service and fits with APT10’s history of facilitating access to sensitive datasets.

Recent Activity: 
An A41APT campaign, attributed to APT10, is noted to be a sophisticated campaign that deploys malicious backdoors to exfiltrate information from a number of Japan-linked companies in different industry sectors across the world. The activity was first detected in March 2019, carrying out through December 2020, with latest attacks said to have occurred in January 2021 and JPCERT/CC stating attacks are still ongoing. The campaign includes a multi-stage attack process, with initial intrusion happening via the exploitation of vulnerabilities in Pulse Connect Secure, a widely used SSL-VPN, in order to hijack VPN sessions. In this campaign, APT10 uses previously undocumented malware, most notable of which is one particular piece of malware called Ecipekac, which is a multi-layer loader module used to deliver as many as 3 payloads, such as SodaMaster, P8RAT, and FYAnti. IronNet has created TIRs related to this campaign and pushed them to customer environments.
 

In addition, published research details continued cyber espionage activity being conducted by APT10 operators. This latest research provides evidence of yet another large-scale intrusion campaign targeting multiple global regions and sectors between Fall 2019 and Fall 2020. Most of the victims appear to have a connection to Japanese companies, with the automotive, pharmaceutical, and engineering sectors among those targeted. The campaign once again went after MSPs, the group’s most favored target. During the campaign, APT10 was observed using a variety of dual-use and custom malware, extensively using DLL side-loading techniques to execute their malware and exploiting the recently publicized ZeroLogon vulnerability affecting Microsoft Windows systems.

Known Targets

Telecommunications, defense, construction, engineering, aerospace, and government sectors (among others) in the U.S., Europe, and Japan with a consistent focus on MSPs

Sample TTPs

  • Spearphishing using malicious attachments
  • DLL side-loading techniques
  • Use of publicly available, quasi-legitimate remote access tool Quasar
  • Use of various shared Chinese malware families, including Poison Ivy and PlugX
  • Persistent targeting of MSPs for use as conduits to their customer networks

AKA

TA429, Menupass, Red Apollo, Stone Panda, Cicada

 

Collective Defense against China cyber attack threats

As evidenced by the numerous examples of Chinese cyber campaigns waged against commercial, government, and nongovernmental entities around the world, it is clear that China has made cyber espionage a hallmark of its global strategy. Chinese leadership has focused massive resources on building out their nation’s cyber capabilities to both secure the Communist Party’s preeminence within the country and project power beyond its borders. Organizations working in an immensely broad number of fields have been targeted, ranging from renewable energy to nanotechnology to human rights. These broad and persistent targeting patterns are likely to continue the years to come.

Chinese tactics, techniques, and procedures have grown in sophistication as well. Once well known for executing “smash and grab” operations seeking to simply steal large amounts of data from their victims as quickly as possible, Chinese threat groups have since evolved. As the case studies above highlight, Chinese threat actors now seek new and novel ways to execute their attacks and hide them from network defenders. Innovation and collaboration have thus become paramount for defenders to identify and prevent such threats.

IronNet’s mission is to provide companies, sectors, and nations with the cutting-edge tools required to defend against sophisticated threats in cyberspace. The behavioral analytics and threat intelligence built into our IronDefense platform provide the unique insights required to detect advanced threat actors, while our IronDome Collective Defense solution allows organizations to collectively defend against such threats using machine-speed correlation of data. We believe that technological innovation and collaboration amongst those seeking to secure cyberspace can ultimately overcome those seeking to divide and exploit it.

China cyber threat report

 

About Ironnet
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet Cybersecurity is a global cybersecurity leader that is revolutionizing how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing an extraordinarily high percentage of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today. Follow IronNet on Twitter and LinkedIn.