NSA, NCSC, and Allies Detail TTPs Associated with Chinese APT Actors Targeting Critical Infrastructure Orgs
The U.S. National Security Agency (NSA), the UK's National Cyber Security Centre (NCSC), and their allies have released a joint Cybersecurity Advisory to expose advanced persistent threat (APT) actors sponsored by the Chinese government, targeting global telecom, government, transport, lodging, and military sectors.
"The National Security Agency (NSA) and other U.S. and foreign organizations are releasing a joint Cybersecurity Advisory to expose advanced persistent threat (APT) actors sponsored by the Chinese government targeting telecommunications, government, transportation, lodging, and military infrastructure networks globally and outline appropriate mitigation guidance," reads the report published by NSA.
The malicious activity outlined in the advisory partially overlaps with cybersecurity industry reporting on Chinese state-sponsored threat actors referred to by names such as Salt Typhoon. A joint Cybersecurity Advisory (CSA) titled "Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System" has linked these malicious activities to multiple China-based entities, including Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.
These Chinese tech firms provide cyber products and services to China's Ministry of State Security and People's Liberation Army. The CSA provides details on tactics, techniques, and procedures (TTPs) associated with these nation-state actors.
Tactics, Techniques, and Procedures (TTPs) Used by Chinese APT Actors
Chinese APT actors gain initial access by exploiting known CVEs and weak configurations, not using zero-day exploits. They adapt tactics as new flaws emerge and mitigations are applied, likely expanding to devices like Fortinet, Juniper, Microsoft Exchange, Nokia, Sierra Wireless, and SonicWall.
Defenders are urged to prioritize patching historically exploited CVEs, especially on exposed network edge devices. Some of the exploited vulnerabilities include:
- VPSs and compromised routers to target telecoms and ISPs, often exploiting edge devices, even those outside primary targets, to pivot into networks.
- Abuse trusted interconnections, alter routing, enable traffic mirroring, and set up GRE/IPsec tunnels.
- Large-scale exploitation across many IPs is common, with repeated access attempts.
- Initial access methods remain unclear; they urge organizations to report compromise details to improve defenses.
Mitigation Strategies for Chinese APT Actors
The government experts state that initial access methods remain unclear; they urge organizations to report compromise details to improve defenses. The CSA provides guidance on appropriate mitigation strategies, including:
1. Prioritize patching historically exploited CVEs, especially on exposed network edge devices.
2. Monitor networks and systems for signs of malicious activity, and implement threat hunting activities.
3. Implement incident response plans to quickly respond to suspected or confirmed compromise incidents.
4. Perform regular security assessments and vulnerability scans to identify potential weaknesses.
Critical Infrastructure Organizations at Risk
The report highlights that critical infrastructure organizations, especially telecommunications organizations, are at high risk of targeted attacks from Chinese APT actors.
Reporting Requirements
"If malicious activity is suspected or confirmed, organizations should consider all mandatory reporting requirements to relevant agencies and regulators under applicable laws and regulations, and any additional voluntary reporting to appropriate agencies," concludes the advisory.
"Cybersecurity or law enforcement agencies can provide incident response guidance and assistance with mitigation."