Chinese national flag on circuit board showing Chinese hackers cyber attacks

Chinese Hackers Targeting Outer Layers of Networks for Cyber Attacks, Using New Malware for “Multi-Year” Intrusions

A new report from Google’s Mandiant finds that Chinese hackers are now focusing on the outer layers of target networks, even antivirus software and firewalls, as an entry point for cyber attacks and a place to dwell for years while evading detection.

The Chinese hackers are directing these attacks at large data-holding targets that are of the greatest interest to government intelligence operations, in some cases deploying new malware or making use of zero-days to compromise software that might have otherwise been assumed to be secure.

Multi-year campaigns by Chinese hackers have compromised popular security tools

Mandiant is warning that the Chinese hackers have found ways to compromise a number of major security and network tools published by the likes of Citrex, Fortinet, SonicWall and VMWare. The researchers also believe that these cyber attacks are more expansive than anyone is aware of, and more software will likely turn out to be compromised in the future.

The Chinese hackers are preying on software and devices located beyond the firewall, largely shifting away from even attempting to break through. These are elements that generally have no endpoint security or antivirus software protecting them; sometimes it is the antivirus software or the firewall itself that is the target. But the cyber attacks also focus on an assortment of devices and apps that commonly need to operate with little to no protection on the network: VPNs, Internet of Things (IoT) devices and hypervisors as a few of the most common examples.

Mandiant has attributed the intrusions to state-backed Chinese hackers based on a number of pieces of evidence: the long dwell times, the types of information that they focus on stealing, the types of malware that are deployed, and the fact that these are long-term operations that require resources above and beyond that of typical cyber criminal groups. Mandiant additionally says that these threat actors are focused on government agencies, tech and telecommunications companies. As is always the case, China denies that the government sponsors cyber attacks of this nature.

In one case, taking place in mid-2022, the Chinese hackers broke into an organization by using a FortiGate firewall zero-day and then used tools designed to exploit the FortiManager device management platform. In this case, the victim’s security staff noticed the initial incursion and applied new restrictions to FortiManager access to thwart the attackers. The Chinese hackers got around this by deploying a network traffic redirection utility and reverse shell backdoor using their existing access.

Similar cyber attacks from China date back to 2006

Mandiant has not directly attributed the attacks to a known APT group (labeling the attackers as “UNC3886”), but there is some similarity to the APT1 group that has been active since 2006. The group has since compromised at least 141 victims using about 40 malware families, and possesses an extensive infrastructure of thousands of systems that supports its cyber attacks.

In late 2021 Mandiant published a report on APT1’s known activities, in the belief that the group was such a threat that intelligence about it must be openly shared. The Chinese hackers are directed by the People’s Liberation Army (PLA) and generally dwell on target systems for about one year, but have exfiltrated information for as long as four years. The vast majority of the group’s activity is targeted at English-speaking countries, particularly the United States (which has been home to 115 of the group’s 141 known victims), and most heavily targets information technology, aerospace, public administration, satellite and scientific research organizations.

Advanced hackers that are seeking to dwell on a target system long-term and quietly exfiltrate information often look first to administrative tools when they plan their cyber attacks. If everyday admin tools can be compromised, the chances of discovery go way down as these tools live in memory and create very few new files that can be flagged by defensive systems as potential sources of suspicious activity.

Mark Bowling, VP of Security Response Services at ExtraHop, shares his thoughts on what can be done to curtail these sorts of high-end cyber attacks that focus on stealth: “So, what should we do?  First, we must ensure that our networks have the kind of internal visibility that cannot be disabled.  Full network visibility is absolutely necessary now to observe, understand, and stop post-compromise cyber-attacks. This is especially necessary when we realized that firewalls are now being compromised by zero-day exploits. The perimeter is breached by sophisticated actors engaging in supply chain attacks. Even though the traditional network has been transformed to accelerate digital business, the entire network and endpoint security framework has not transformed accordingly.”

“The next generation of network detection and response must forge a new echelon of network monitoring capabilities that create complete network transparency across the entire hybrid attack surface, particularly within the entire enterprise network, including cloud hosted networks. In doing so, defenders can ensure that insidious adversaries have nowhere to hide in our own networks,” recommended Bowling.

Chinese hackers have been highly active for decades now, but have been both expanding their geographic focus and coming up with creative new techniques as of late. The state-backed teams have been linked to the theft of at least $20 million in Covid-19 relief funds from the US, and in 2022 were also caught using ransomware as a decoy to cover the tracks of spy operations. These threat groups are also thought to have turned against domestic targets on occasion; a Chinese APT group was linked to a September 2022 attack on MiMi, a chat app that is almost exclusively used in China. The hackers took control of MiMi download servers, inserted a malware backdoor into legitimate downloads of the app, and let unwitting users be infected for months.