CISA Alert AA22-158A – People’s Republic of China state-sponsored cyber actors exploit network providers and devices.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One Five Eight Alpha.

​​Original release date: June Seventh, twenty twenty two.

This alert describes the ways in which Chinese state-sponsored cyber actors exploit known vulnerabilities to establish a network of compromised global infrastructure. These actors use the network to exploit targets worldwide, including public and private sector organizations. The alert documentation details the targeting of major telecommunications companies and network service providers and the top vulnerabilities associated with network devices routinely exploited by the cyber actors.

PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit common vulnerabilities and exposures. This technique allows the actors to gain access to victim accounts using public exploit code against virtual private networks or public facing applications without using their own identifying malware.

Equipment such as Small Office Home Office routers and Network Attached Storage devices serve as access points for command and control and as midpoints to conduct network intrusions against other entities. Recent high-severity vulnerabilities for network devices provided these actors with the ability to exploit and gain access to popular devices often overlooked by cyber defenders who struggle to maintain routine software patching of Internet-facing services and endpoint devices.

PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from China-based IP addresses resolving to different Chinese internet service providers. They use these servers to register and access operational email accounts, host command and control domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.

These cyber actors have also adapted tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders’ accounts and actions, and modifying their ongoing campaign to remain undetected. Cyber actors routinely modify their infrastructure and toolsets following the release of information related to their campaigns. PRC state-sponsored cyber actors often mix their customized toolset with tools native to the network environment to obscure their activity and blend into normal network activity.

NSA, CISA, and the FBI urge US and allied governments, critical infrastructure, and private industry organizations to apply the recommendations listed in the Mitigations section and Appendix A of the full report linked in the shownotes to increase their defensive posture and reduce the risk to critical networks. The full report linked in the show notes includes the device vulnerabilities most frequently exploited by PRC state-sponsored cyber actors and additional resources and mitigation strategies.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.