Persistent Chinese Advanced Persistent Threats focus attacks on vital infrastructures and telecommunication networks.
In a joint cybersecurity advisory, a coalition of international agencies, including the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), and others, have detailed ongoing malicious activity by People's Republic of China (PRC) state-sponsored Advanced Persistent Threat (APT) actors.
These APT actors have been conducting malicious operations worldwide since at least 2021, with a deliberate and sustained campaign to gain long-term access to global critical infrastructure networks. They target various sectors, including telecommunications, government, transport, and military infrastructures worldwide.
The APT actors employ various tactics to achieve their goals. They collect configuration files by exploiting existing network sources or actively surveying devices, using Trivial File Transfer Protocol (TFTP). Frequently, they use tunneling protocols, such as IPsec and GRE, to conduct both command-and-control and exfiltration operations.
To maintain persistent access, APT actors disguise their activity and bypass defenses. They abuse peering connections with direct interconnections between networks to conduct covert exfiltration. The actors also capture in-transit network traffic by leveraging native router capabilities such as SPAN, RSPAN, or ERSPAN.
APT actors often rely on separate, and sometimes multiple, command-and-control channels to disguise data theft. They target authentication protocols and supporting infrastructure, such as TACACS+ and RADIUS, to enable lateral movement across network devices.
Several China-based entities, including Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology, are linked to these activities. These companies provide tools used by groups such as Salt Typhoon, which is state-sponsored and targets telecommunications, government, transport, and military infrastructures worldwide.
The stolen data enables Chinese intelligence agencies to monitor and track communications and movements worldwide. APT actors successfully exploit widely known vulnerabilities and other preventable weaknesses in compromised infrastructure.
Organizations should carefully plan the sequencing of response actions to maximize the likelihood of complete eviction while ensuring compliance with laws, regulations, and data breach notification requirements. If malicious activity is suspected or confirmed, organizations should comply with mandatory reporting requirements to regulators and relevant authorities.
To prevent unauthorized access and data exfiltration, firmware and software integrity checks are critical. The advisory urges network defenders in critical infrastructure to conduct proactive threat hunting and incident response. It is essential to stay vigilant and stay informed about the latest threats and best practices for cybersecurity.
