U.S. Federal Cybersecurity Advisory: TTPs of Chinese State-Sponsored Cyber Operations

By

Updated July 9, 2021

This is a follow-up to the recent deepwatch announcement “U.S. Federal Cybersecurity Advisory: TTPs of Chinese State-Sponsored Cyber Operations” released on July 19, 2021, summarizing the latest news on this advisory with additional insights from deepwatch.

What Happened?

On Jul 19, 2021, the NSA, FBI, and CISA issued a joint Cybersecurity Advisory on Chinese state-sponsored cybersecurity operations. The joint agencies “assess that the People’s Republic of China state-sponsored malicious cyber activity is a major threat to the U.S and Allied cyberspace assets.” The report also states that “Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII).”

Known targeted sectors have included: 

  • managed service providers, 
  • semiconductor companies, 
  • the Defense Industrial Base (DIB), 
  • universities, and 
  • medical institutions.

What’s New?

On July 19th, the US Justice Department also announced an indictment in May of four APT40 threat actors associated with China’s MSS Hainan State Security Department. Coinciding with this announcement, CISA and the FBI “released a Joint Cybersecurity Advisory containing these and further technical details, indicators of compromise (IOCs), and mitigation measures” regarding APT40’s cybersecurity threat operations.

The APT40-related joint advisory and the TTPs of Chinese State-Sponsored Cyber Operations joint advisory were both reported on July 19th and have significant overlap in observed TTPs and mitigation measures. The APT40 advisory lists IOCs, but please note that these IOCs are from 2011 to 2018 and contain MD5 hashes of legitimate tools; as such, deepwatch does not view these IOCs as actionable intelligence.

Though the provided IOCs are considered stale and unactionable, the tactics and techniques presented in both of the advisories highlight TTPs utilized by Chinese state-sponsored threat actors but are not necessarily unique to Chinese threat actors. 

What is deepwatch doing with these advisories?

deepwatch MDR

Even though the Chinese state-sponsored threat actors do not traditionally target all of our customers’ industry verticals, deepwatch recognizes that the tactics and techniques mentioned in the joint advisories are not unique to just Chinese state-sponsored threat actors.

Because of this recognition, deepwatch has compared the tactics and techniques presented in these advisories to our current, global detections. deepwatch has assessed and prioritized global detection rule development that will be deployed in future security content releases.

In addition to global, out-of-the-box detections, deepwatch provides local – or custom – alerts that are specific to your unique environment and your organization’s unique concerns. As such, your Squad’s Detection Engineer has a comprehensive view of your organization’s detection coverage.

Your deepwatch Squad is your organization’s partner; if your organization has any specific concerns that you have not already brought up to your Squad, then please speak with your Squad Manager or Squad Detection Engineer.

deepwatch VM and MEDR

Chinese state-sponsored threat actors scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. deepwatch’s Vulnerability Management (VM) service provides patch management advice and prioritization to mitigate threat actors from exploiting known vulnerabilities. deepwatch also identifies and assists in remediating tactics within the MITRE ATT&CK framework.

deepwatch’s Managed Endpoint Detection and Response (MEDR) service offering manages your endpoint solution, builds policies that make the most sense for your business, and develop automated responses to security threats like those listed in the joint Cybersecurity Advisories to ensure quick containment of attacks and deep investigations of the root cause.

What Can You Do?

deepwatch recommends implementing the four recommendations the joint Cybersecurity Advisories provide to protect your organization. See the table below for those recommendations and for deepwatch’s insight.

Joint Cybersecurity Advisory Recommendations deepwatch’s Insight
  1. Patch systems and equipment promptly and diligently.
We know this is easier said than done, which is exactly why deepwatch offers a Vulnerability Management (VM) service offering. deepwatch’s VM service works with your organization to build consensus on how vulnerabilities will be identified, prioritized, and remediated.
  1. Enhance monitoring of network traffic, email, and endpoint systems.
Detection capabilities are only as good as the defender’s visibility into your environment, which is why deepwatch’s MDR offering uses a patent-pending Maturity Model score to help drive greater visibility and detection capabilities within your environment. 

deepwatch’s MDR offering also provides named resources, such as a Squad Detection Engineer to aid in detection strategy and a Threat Hunter to complement current detections. If you have specific concerns you haven’t brought up to your Squad yet, then please reach out to your Squad Manager or Customer Success Manager; we’re here to help. 

  1. Use protection capabilities to stop malicious activity.
The cybersecurity advisory recommends that organizations use anti-virus software, endpoint protection platforms, network intrusion detection and prevention systems, a domain reputation service, enable multi-factor authentication for remote access, and finally implement a strong password policy for service accounts.

deepwatch’s Endpoint Detection and Response (EDR) security service works to ensure your EDR platform’s detection capabilities are kept up-to-date. 

  1. Protect credentials
Protect your organization’s credentials via policy-based actions (e.g., enforcing the principle of least privilege, implementing MFA, ingest authentication, and access logs to your SIEM).

Additionally, as a deepwatch MDR customer, we deploy alerts custom to your environment; and, our MDR service offers many out-of-the-box detections around abnormal or suspicious authentication attempts. 

 

As a final recommendation, your deepwatch Squad is your organization’s partner. If your organization has any specific concerns that you have not already brought up, then please speak with your deepwatch Squad.

Resources


Original Briefing

Overview

deepwatch is monitoring the following U.S. Federal Cybersecurity Advisory jointly issued today by the NSA, CISA, and FBI. We’ve summarized the information you need to know now below. For more information on what you can do, read the summary below, consider the three recommendations from the Federal advisory, and reach out to your Squad with questions.

Meanwhile, deepwatch will continue to monitor this joint advisory and future related updates for customers and incorporate any threat intelligence into your existing services.

What Happened

On Jul 19, 2021, the NSA, FBI, and CISA issued a joint Cybersecurity Advisory on Chinese state-sponsored cybersecurity operations. The joint agencies “assess that the People’s Republic of China state-sponsored malicious cyber activity is a major threat to the U.S and Allied cyberspace assets.” The report also states that “Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII).”

Known targeted sectors have included: 

  • managed service providers, 
  • semiconductor companies, 
  • the Defense Industrial Base (DIB), 
  • universities, and 
  • medical institutions.

Chinese State-Sponsored TTPs

The joint Cybersecurity Advisory provides an overview of how Chinese state-sponsored threat actors are performing resource development, how they are initially infiltrating a victim’s network, and how command and control communications occur post-compromise.

Resource Development 

Chinese state-sponsored threat actors were reported to rotate between a series of virtual private servers (VPS) and leverage commercial penetration tools.

Initial Access 

These threat actors are constantly scanning the internet for publicly-known vulnerabilities and exploiting them to gain initial access into a victim’s network.

Command and Control

Post-compromise, Chinese state-sponsored threat actors commonly utilize VPS and small office home office (SOHO) devices to evade detection.

Additionally, the advisory provides a breakdown of TTPs by MITRE ATT&CK tactics and techniques, along with associated detection and mitigation recommendations. The following are tactics and associated techniques known to be utilized by Chinese state-sponsored threat actors:

Tactic Known Techniques
Reconnaissance Active Scanning

Gather Victim Network Information 

Resource Development Acquire Infrastructure

Stage Capabilities

Obtain Capabilities

Initial Access Drive By Compromise

Exploiting Public-Facing Application

Phishing

External Remote Services

Valid Accounts

Execution Command and Scripting Interpreter

Scheduled Task/Job

User Execution

Persistence Hijack Execution Flow

Modify Authentication Process

Server Software Component

Create or Modify System Process

Privilege Escalation Domain Policy Modification

Process Injection

Defense Evasion Deobfuscate/Decode Files or Information

Indicator Removal from Host

Signed Binary Proxy Execution

Credential Access Exploitation for Credential Access 

OS Credential Dumping

Discovery File and Directory Discovery

Permission Group Discovery

Process Discovery

Network Service Scanning

Remote System Discovery

Lateral Movement Exploitation of Remote Services
Collection Archive Collected Data

Clipboard Data

Data Staged

Email Collection

Command and Control Application Layer Protocol

Ingress Tool Transfer

Non-Standard Port

Protocol Tunneling

Proxy

 

More information can be found in the advisory’s Appendix A.

CISA Recommendations

The joint Cybersecurity Advisory provides the following recommendations for organizations to protect themselves:

Patch systems and equipment promptly and diligently.

Because Chinese state-sponsored threat actors are leveraging publicly-known vulnerabilities to gain initial access into a victim’s network, patch your public-facing systems and focus on vulnerabilities that allow for remote code execution (RCE) or for denial of service (DoS).

Enhance monitoring of network traffic, email, and endpoint systems.

Phishing remains a prominent attack vector for script kiddies and state-sponsored threat actors alike; restrict email attachments and enable URL blocking in your environment. Enhance your organization’s detection capabilities by ensuring your security team and your Managed Detection and Response team have adequate visibility into your organization’s network and endpoints.

Use protection capabilities to stop malicious activity.

The cybersecurity advisory recommends that organizations use anti-virus software, endpoint protection platforms, network intrusion detection and prevention systems, a domain reputation service, enable multi-factor authentication for remote access, and finally implement a strong password policy for service accounts.

What Has deepwatch Done?

Managed Detection & Response

deepwatch’s Managed Detection & Response (MDR) service offering deploys numerous detections out of the box, which covers a wide array of tactics and techniques. deepwatch also leverages our threat intelligence platform to provide up-to-date indicators that feed a variety of threat intelligence-based detections. deepwatch develops detections andin a way that allows for our rules to catch a variety of threat actors, whether they are state-sponsored or not. deepwatch also performs detection analysis within our own infrastructure.

It is recommended that you coordinate with your squad manager or squad detection engineer for proper observation of specific TTPs.  Should you need to review a comprehensive list of alerts and their coverage, your squad detection engineer can provide this list. 

For any other concerns around detections and detection strategy as they relate to Chinese state-sponsored threat actors or threat detection in general, please reach out to your squad who can work with you on the strategy that fits your needs.

Vulnerability Management

deepwatch’s Vulnerability Management service works with you to build consensus on how vulnerabilities will be identified, prioritized, remediated, and measured. deepwatch provides patch management advice and prioritization to stop threat actors from exploiting known vulnerabilities to breach networks or to laterally move within networks. deepwatch also identifies and assists in remediating tactics within the MITRE ATT&CK framework.

Managed Endpoint Detection and Response

deepwatch’s Endpoint Detection and Response (EDR) security service works to ensure your EDR platform’s detection capabilities are kept up-to-date. 

What Can Customers Do?

It is recommended that you coordinate with your squad manager or squad detection engineer for proper observation of specific TTPs. If you need to review a comprehensive list of alerts and their coverage, your squad detection engineer can provide this list. 

For any other concerns around detections and detection strategy as they relate to Chinese state-sponsored threat actors or threat detection in general, please reach out to your squad who can work with you on the strategy that fits your needs.

Resources

Subscribe to the deepwatch Insider Blog