Cyberattacks: Made in China

INTRUSION Team
8 min read
Nov 30, 2021

By the time you read this, you will also have seen headlines from every angle on the United States’ tumultuous relationship with China. Trade, Taiwan, cyber, espionage, and climate agreements are hot issues between the two powerhouses. In today’s world, more conflict transpires in cyberspace than in major land and sea battles between nations. The engagements are even rare and have been overshadowed by what many call “competition below the level of conflict.” Make no mistake, there is a conflict raging daily. Access, malware, extortion, cyber espionage, and data theft have replaced bombs and bullets. The fight is all about data, advantage, and money. Everyone wants to be a step ahead of another. And threat actors (nation-state, nation-state-sponsored, and private groups) are keen on stealing millions of dollars worth of data.Every Single Day.

China has become a severe threat to the world through the use of cyberattacks. Security researchers have reported that Chinese state-sponsored threat groups have constantly targeted victims in many Asian countries for the past few months. It is not just about cyberattacks as China is also accused of performing covert cyber operations (espionage) in various countries. However, officials in Beijing deny having sponsored any attacks and never take responsibility for the resulting substantial damage.

In a statement, U.S. Secretary of State Antony Blinken accused the Chinese Ministry of State Security (MSS) of cyberattacks exploiting Microsoft Exchange. Additionally, the U.S. government and its allies had officially verified that the threat groups were associated with the Chinese MSS and were responsible for exploiting MS Exchange Server vulnerabilities which led to an extensive espionage operation jeopardizing thousands of machines and networks belonging to the private sector. These threat actors tended to cover their malicious activities using a series of revolving virtual private servers (VPSs) and open-source pen-testing tools. They then further obfuscated their activity by setting up SOCKS5 proxies on these VPSs to escape exposure.

There are simply too many references with too many unproven allegations about who, if anyone, is controlling and synchronizing many Chinese cyberespionage efforts. You could point the finger at the Ministry of State Security, APT 1 or Unit 61938, or PLA 2d Bureau, 3d Bureau, or even the 4th Bureau, or even better blame the Network Systems Department. Experts in hundreds of investigations have found evidence of links across all of them. This is an advantage to the Chinese as they can simply obfuscate responsibility in an enormous ocean of organization. We also know the US has in the past accused the Chinese of hacking and spying through a large network of front companies and even using their universities in their efforts.

For reference, here are just a few Chinese associated hacking groups:

IRON HUSKY

In October 2021, a Zero-Day exploit was discovered in the Windows Win32k kernel, which Chinese threat actors used for privilege escalation and taking over Windows servers as part of their espionage operations. Apart from finding this Zero-Day in the wild, various other malware variants were observed to be used in extensive campaigns against major IT organizations, defense sectors, and diplomatic institutions.

This pattern of attacks came to an end when the researchers discovered a remote access trojan (RAT) called MysterySnail installed by the APT in compromised servers to exfiltrate data, and server owners began patching. Researchers were able to draw a connection between this malicious campaign and the actions of another Chinese APT named Iron Husky from a repeat in the usage of C2 IP addresses that were first seen in 2012. The Iron Husky APT was discovered in 2017 and is explicitly famous for using exploits to deliver RATs to targets.

They are highly motivated to obtain information on the geopolitical issues happening in the Central Asian region of targets, particularly in Mongolia. It concerns researchers that it appears the threat actor is planning something ominous against this unlikely choice of target. Alarmed researchers watched MysterySnail multitask on affected machines by generating new processes, killing existing processes, and launching interactive shells and proxies during nearly fifty connections.

APT 41 (Wicked Panda)

APT 41 is another Chinese state-sponsored espionage group prevalent because of its various phishing campaigns in Asia. It is believed they use fear to unleash attacks on their targets using campaigns that are related to some emotional/work-related sentiment or current covid scenario to trap them. They attacked four U.S. government institutes in their recent campaigns, where they used multiple SQL injections and old malware. APT 41 is concerning as they are known for constantly improvising their attacks. However, the direct targeting of U.S. state government entities is a newer and concerning development given the nature of APT41 campaigns. They are also highly suspect of intruding into India’s critical infrastructure network.

TAG-28

As the Indo-China relationship worsens over the Line of Actual Control (LAC) in the Galwan Valley, India has undoubtedly become a victim to Chinese state-sponsored cyberattacks. Recent research suggested that a threat group named TAG-28 is suspected of performing massive cyberattacks on Indian entities. The Time’s Group (TTG), a popular media Agency that continuously reports on the Indo-Chinese situation, was one of the critical organizations the attackers targeted. The Unique Identification Authority of India (UIDAI) was among other organizations that suffered a major cyberattack. It is a body that contains the biometric information of more than one billion Indian citizens. The attackers have been using the legendary Winnti Malware used by multiple Chinese hackers.

In the Time’s Group case, researchers observed at least four TTG IPs communicating with two Winnti C2 Servers and a Cobalt Strike server, resulting in at least 500MB of exfiltrated data. Two other IPs were seen communicating to the same C2 servers in the case of UIDAI. This was observed from early June to late July 2021 secretly stealing a small amount of data from both organizations. Apart from stealing PII and breaching the UIDAI or the Aadhaar databases, individuals can face issues like the hack of their bank accounts with the available PII.

TAG-22

Another Chinese threat group identified as TAG-22 has been targeting South Asian Countries like Taiwan, Nepal, Hong Kong, and the Philippines. They are explicitly attacking Research centers, educational institutions, the telecommunication sector, and government offices. Their recent campaigns used compromised GlassFish servers, Acunetix for scanning the vulnerabilities, and the Cobalt Strike tool for the initial access. They then used Winnti, ShadowPad, and Spyder backdoors to pivot and maintain extended access to their C2 infrastructure.

The attackers registered the domain vt[.]livehost[.]com on Namecheap.com and utilized Choopa VPS to strengthen its C2 server. TAG-22 has used spear phishing by sending victims malicious macros- infected documents that drop the Fishmaster loader. They also employed two extensions for the Fishmaster Portable Executable (PE) files as deceptive PDFs or MS Office documents. The attacker’s C2 domain was connected to ShadowPad and the Spyder backdoor which allowed them not only to pivot but also pinpoint the IP address belonging to TAG-22.

APT-31

Recently the APT31 group, also known as Zirconium, is another Chinese APT that used a new (unnamed at this time) dropper to attack countries like the United States, Russia, Canada, Mongolia, and Belarus. This dropper leverages DLL sideloading to execute the malicious payload on the target machine. Many versions of this dropper have been discovered, including one that downloads all the necessary files to continue the attack from their C2 server.

Cyberespionage has been their key motivation as they have been targeting government bodies, the defense and aerospace sector, financial organizations, and high-tech companies. This threat group is popularly known to supply stolen data to the Chinese government and organizations for military and political advantage. They were also publicly accused of launching attacks on Microsoft Exchange servers in July 2021. Researchers were surprised to see for the very first time this threat group targeting Russian entities for its malicious campaigns and concluded simply they are expanding their area of operations.

Wrap-Up

We could have mentioned the group Nobelium (as dubbed by Microsoft’s MSTIC) that was responsible for the infamous Solar Winds hack in 2020. Our opinion is that even though MSTIC continues reporting on Nobelium, we’d still like to see the evidence that links them to Chinese state sponsorship. However, we’ll go with Microsoft’s analysis until something better emerges. The bottom line is that our shortlist is just the tip of the Chinese threat iceberg. They are numerous.

The turmoil caused by these Chinese threat actors has spread like wildfire. The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory describing 50 TTPs of Chinese state-sponsored cyberattacks. These activities have been causing a massive amount of damage to political, economic, military, educational institutes, critical infrastructure, and public organizations in the United States. These threat actors are accessing valuable and sensitive data for the military and economic growth of the Chinese government.

Lastly, we remind you that attribution should not be the first thought on a CISO, CIO, CTO’s mind when responding to a cyberattack. Stopping the pain, and restoring your network is job one. The difficulty in accurately attributing your case to the Chinese is daunting as it could be a random new start-up criminal gang, or a 3d party state-supported, state-sponsored, or state-owned affiliate, not to mention a PLA unit themselves. Also, the attack may originate from any of the state-sponsored educational institutions, research centers, and key laboratories with prominent examples including the Harbin Institute of Technology; Nanjing University of Science and Technology; Northwestern Polytechnical Institute; Beijing Institute of Technology; Harbin Engineering University; Bei hang University; and Nanjing University of Aeronautics and Astronautics (known as the “Seven Sons of National Defense”); as well as certain PLA-affiliated laboratories such as Tsinghua University, Beijing University, and Shanghai Jiao tong University, North University of China, and others.

The bottom line is regardless of news and press concerning the world’s relationship with China in an era of extremely high competition in politics, military, economics, and social issues, you can bet that as they continue to outpace the world with exports, they’ll continue to rely on cyberattacks, data theft, and espionage to maintain that lead.

Like many things you order from the internet or buy off the shelf these days, chances are the cyberattacks you are experiencing are: Made in China.

Resources that might interest you.