At first glance, last week’s advisory on state-sponsored China cyberattacks by the FBI and the Cybersecurity and Infrastructure Security Agency is nothing new. It outlines the tactics, techniques, and procedures they use. Plus, not every data center contains information that’s of interest to the Chinese government.
But the report should be required reading for many, if not most, people that manage security on data center networks. That’s because A) Companies that could potentially be impacted here go far beyond just those of direct strategic interest to China; B) The report includes a list of specific indicators of intrusion by if this particular set of attackers — which would help inform a response plan; and C) It includes both a set of recommended mitigation measures and contact information for the FBI and CISA offices working to address this threat who could be of assistance.
The document focuses on a China cyberattack group called APT40 and names specific individuals: three Chinese intelligence officers and one employee of a front company. The group targeted companies in several industries, including academia, aerospace, biomedical, defense industrial base, education, government, healthcare, manufacturing, maritime, research institutes, and transportation.
Most of the indicators of compromise listed we’ve seen before. Nevertheless, there are reasons for enterprise data center and data center provider cybersecurity managers to pay attention.
"Today, data centers are under direct attack, even more than customers," said Sean Pearcy, senior director of cybersecurity services at Flexential, a major US data center provider. "Malicious actors realize that they often can more easily target customers through their data centers."
And customers are beginning to question data center providers more about security of their critical infrastructure, he told DCK.
"Malicious actors look to laterally move through a data center," he said. "A data center breach has the potential to take down entire customer networks.
Enterprise Data Centers as China Cyberattack Targets
Managers of internal enterprise data centers should pay attention to the CISA advisory even if they're not in one of the targeted industries listed in the China cyberattack report. It’s enough to be part of a business ecosystem that includes one of those valuable targets to be vulnerable.
A small marketing, legal, or software company might have customers who are of interest to the Chinese government, for example. As we've seen with last year’s SolarWinds breach, state actors will readily use a third-party service provider. In that case, Russian state actors infiltrated SolarWinds, a network monitoring software vendor, to attack the vendor's customers.
China has done the same. The US Justice Department disclosed in 2018 that Chinese hackers had been attacking managed service providers for over a decade to get at their customers.
In the new advisory, CISA warns that the attacks will also compromise email and social media accounts to conduct social engineering attacks. A person is much more likely to click on an email and download software if it comes from a trusted source. If the attacker has access to an employee's mailbox and can read previous messages, they can tailor their phishing email to be particularly appealing – and even make it look like a response to a previous message.
Unlike “private sector” criminals, state-sponsored actors are more willing to use convoluted paths to get to their final targets, said Patricia Muoio, former chief of the NSA’s Trusted System Research Group, who is now general partner at SineWave Ventures.
"They are very patient, very persistent, and are willing to spend time and energy to get to where they want to get to," she told DCK. "And many of these paths involve people who are not entities of interest themselves."
In a business ecosystem, the entire network is as vulnerable as its least secure member, she said. "So, everyone needs to raise the bar. Nobody should be saying, 'They're not going to care about me.'"
More than half of all cyber breaches nowadays are due to third-party attacks, said Vidisha Suman, a partner in the digital transformation practice of the global consultancy Kearney.
"Less than one-fourth of companies are even aware of the full scope of data access and sharing that occurs with third-party providers," she added. And that's not even considering all the connections to software, hardware, and service providers.
When most companies look at their vendor relationships, they focus on the importance of the services they provide, she said. "Now is the time to review cybersecurity measures with a ‘Value-at-Risk’ mindset."
State-Sponsored Cyberattacks Need Tailored Response
Private cybercriminals look for financial gain. They steal credit card information and health care data to sell on the black market, hijack machines to mine cryptocurrencies, and deploy ransomware.
State-sponsored attackers are after different things. If they plan to use your company as an attack vector to go after another target, they'll want to compromise user accounts to get at their communications. If you’re a software vendor, they'll aim to get into your software development or update process.
Companies of strategic interest may have valuable intellectual property or business or legal documents targeted by China cyberattacks.
So, while mitigations for both types of attack are mostly the same – patching and updating all systems, strengthening authentication and access controls, and deploying modern monitoring technologies – some additional measures may be required.
For example, companies might pay particular attention to any unusual access to systems containing sensitive documents, information about enterprise partners or customers, or employees' email or social media accounts.
Another difference between the two attack types is the level of stealth required. Private cybercriminals may hang around inside corporate systems for a while, exfiltrating data or running cryptominers, but in general, the longer they're in place, the higher the likelihood that they'll be discovered. Plus, the faster they launch their ransomware attack, the faster they get paid.
State-sponsored actors, however, are especially careful not to get caught. In the CISA advisory, this falls under the "defense evasion, command and control, collection, and exfiltration" stage of the attack.
"This stealth approach increases the value of the information collected and leaves the door open," said John Carey, managing director in the technology practice at AArete, a management consulting firm. The attackers can keep collecting information on the organization almost as if they had a mole working at the company, he told DCK.
Second, stolen information is more valuable if the victim doesn’t know they were hit. "They don't want to make the victim aware of the fact that they were there, meaning that theft of IP, or specific insider information, which would be to the bad actors’ advantage, such as pre-IPO data, or possible drug trial efficacy, is still apparently confidential."
APT40 Victims Should Work With Authorities
If companies find evidence of APT40 activity, they should contact the local FBI field office or the FBI's 24/7 Cyber Watch.
Reporting an intrusion can help the authorities better identify the scope of the threat and develop appropriate responses.
CISA setting up infrastructure to deal with the China cyberattack threat is long overdue, said Tanner Johnson, principal analyst for data security at Omdia. It's in companies' best interest to cooperate. "It will help provide a single repository where we can universally share information and coordinate a response," he told DCK.
Companies can contact CISA to request incident response resources or technical assistance related to these threats.
Unless you’re required to do so legally, it’s usually “not super important” to notify law enforcement that you’ve been hit by ransomware, said ilia Kolochenko, CEO at cybersecurity vendor ImmuniWeb. With APT40, however, it’s a good idea to contact the authorities, he said.
CISA might have more information about the attack, such as secret backdoors the attackers could have left in place or other sensitive intelligence. "I don't think CISA would share that intelligence publicly at this time so as not to hinder the investigation," he said. "But if you contact CISA they might share some additional insights."
APT40 Uses ‘Pedestrian’ Tactics
Whether the attackers are going after credit card numbers or state secrets, the defensive strategies are the same.
CISA provides a list of security controls that companies should have in place, which are best practices for any type of attack. It includes everything from patching promptly to using multi-factor authentication to monitoring systems for anomalous behaviors.
That's because most of APT40’s attack tactics aren’t that unusual.
"The number-one takeaway from this report should be how pedestrian the tactics actually are," said Ross Rustici, managing director at StoneTurn, a global advisory firm.
APT40 uses commodity tools, he told DCK. "Gh0st, Derusbi, and China Chopper are all a decade old or more at this point."
Once again, it comes down to security fundamentals. Companies need to build defenses against all the commonly used attack methods. "It will not only stymie this particular brand of advanced persistent threat but also drastically reduce the efficacy of cyber criminals," Derusbi said.