Updated July 9, 2021
This is a follow-up to the recent Deepwatch announcement “U.S. Federal Cybersecurity Advisory: TTPs of Chinese State-Sponsored Cyber Operations” released on July 19, 2021, summarizing the latest news on this advisory with additional insights from Deepwatch.
What Happened?
On Jul 19, 2021, the NSA, FBI, and CISA issued a joint Cybersecurity Advisory on Chinese state-sponsored cybersecurity operations. The joint agencies “assess that the People’s Republic of China state-sponsored malicious cyber activity is a major threat to the U.S and Allied cyberspace assets.” The report also states that “Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII).”
Known targeted sectors have included:
- managed service providers,
- semiconductor companies,
- the Defense Industrial Base (DIB),
- universities, and
- medical institutions.
What’s New?
On July 19th, the US Justice Department also announced an indictment in May of four APT40 threat actors associated with China’s MSS Hainan State Security Department. Coinciding with this announcement, CISA and the FBI “released a Joint Cybersecurity Advisory containing these and further technical details, indicators of compromise (IOCs), and mitigation measures” regarding APT40’s cybersecurity threat operations.
The APT40-related joint advisory and the TTPs of Chinese State-Sponsored Cyber Operations joint advisory were both reported on July 19th and have significant overlap in observed TTPs and mitigation measures. The APT40 advisory lists IOCs, but please note that these IOCs are from 2011 to 2018 and contain MD5 hashes of legitimate tools; as such, Deepwatch does not view these IOCs as actionable intelligence.
Though the provided IOCs are considered stale and unactionable, the tactics and techniques presented in both of the advisories highlight TTPs utilized by Chinese state-sponsored threat actors but are not necessarily unique to Chinese threat actors.
What is Deepwatch doing with these advisories?
Deepwatch MDR
Even though the Chinese state-sponsored threat actors do not traditionally target all of our customers’ industry verticals, Deepwatch recognizes that the tactics and techniques mentioned in the joint advisories are not unique to just Chinese state-sponsored threat actors.
Because of this recognition, Deepwatch has compared the tactics and techniques presented in these advisories to our current, global detections. Deepwatch has assessed and prioritized global detection rule development that will be deployed in future security content releases.
In addition to global, out-of-the-box detections, Deepwatch provides local – or custom – alerts that are specific to your unique environment and your organization’s unique concerns. As such, Detection Engineer have a comprehensive view of your organization’s detection coverage.
Deepwatch VM and MEDR
Chinese state-sponsored threat actors scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. Deepwatch’s Vulnerability Management (VM) service provides patch management advice and prioritization to mitigate threat actors from exploiting known vulnerabilities. Deepwatch also identifies and assists in remediating tactics within the MITRE ATT&CK framework.
Deepwatch’s Managed Endpoint Detection and Response (MEDR) service offering manages your endpoint solution, builds policies that make the most sense for your business, and develop automated responses to security threats like those listed in the joint Cybersecurity Advisories to ensure quick containment of attacks and deep investigations of the root cause.
What Can You Do?
Deepwatch recommends implementing the four recommendations the joint Cybersecurity Advisories provide to protect your organization. See the table below for those recommendations and for Deepwatch’s insight.
| Joint Cybersecurity Advisory Recommendations | Deepwatch’s Insight |
|
We know this is easier said than done, which is exactly why Deepwatch offers a Vulnerability Management (VM) service offering. Deepwatch’s VM service works with your organization to build consensus on how vulnerabilities will be identified, prioritized, and remediated. |
|
Detection capabilities are only as good as the defender’s visibility into your environment, which is why Deepwatch’s MDR offering uses a patent-pending Maturity Model score to help drive greater visibility and detection capabilities within your environment. Deepwatch’s MDR offering also provides named resources, such as a Detection Engineers to aid in detection strategy and a Threat Hunter to complement current detections. If you have specific concerns you haven’t brought up yet, then please reach out to your Customer Success Manager; we’re here to help. |
|
The cybersecurity advisory recommends that organizations use anti-virus software, endpoint protection platforms, network intrusion detection and prevention systems, a domain reputation service, enable multi-factor authentication for remote access, and finally implement a strong password policy for service accounts.Deepwatch’s Endpoint Detection and Response (EDR) security service works to ensure your EDR platform’s detection capabilities are kept up-to-date. |
|
Protect your organization’s credentials via policy-based actions (e.g., enforcing the principle of least privilege, implementing MFA, ingest authentication, and access logs to your SIEM).Additionally, as a Deepwatch MDR customer, we deploy alerts custom to your environment; and, our MDR service offers many out-of-the-box detections around abnormal or suspicious authentication attempts. |
As a final recommendation, your Deepwatch Experts are your organization’s partner. If your organization has any specific concerns that you have not already brought up, then please speak with your CSM.
Resources
- Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs | CISA
- Alert (AA21-200A) Tactics, Techniques, and Procedures of Indicted APT40 Actors | CISA
Original Briefing
Overview
Deepwatch is monitoring the following U.S. Federal Cybersecurity Advisory jointly issued today by the NSA, CISA, and FBI. We’ve summarized the information you need to know now below. For more information on what you can do, read the summary below, consider the three recommendations from the Federal advisory, and reach out to your CSM with questions.
Meanwhile, Deepwatch will continue to monitor this joint advisory and future related updates for customers and incorporate any threat intelligence into your existing services.
What Happened
On Jul 19, 2021, the NSA, FBI, and CISA issued a joint Cybersecurity Advisory on Chinese state-sponsored cybersecurity operations. The joint agencies “assess that the People’s Republic of China state-sponsored malicious cyber activity is a major threat to the U.S and Allied cyberspace assets.” The report also states that “Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII).”
Known targeted sectors have included:
- managed service providers,
- semiconductor companies,
- the Defense Industrial Base (DIB),
- universities, and
- medical institutions.
TTPs of Chinese State-Sponsored Cyber Operations
The joint Cybersecurity Advisory provides an overview of how Chinese state-sponsored threat actors are performing resource development, how they are initially infiltrating a victim’s network, and how command and control communications occur post-compromise.
Resource Development
Chinese state-sponsored threat actors were reported to rotate between a series of virtual private servers (VPS) and leverage commercial penetration tools.
Initial Access
These threat actors are constantly scanning the internet for publicly-known vulnerabilities and exploiting them to gain initial access into a victim’s network.
Command and Control
Post-compromise, Chinese state-sponsored threat actors commonly utilize VPS and small office home office (SOHO) devices to evade detection.
Additionally, the advisory provides a breakdown of TTPs by MITRE ATT&CK tactics and techniques, along with associated detection and mitigation recommendations. The following are tactics and associated techniques known to be utilized by Chinese state-sponsored threat actors:
| Tactic | Known Techniques |
| Reconnaissance | Active ScanningGather Victim Network Information |
| Resource Development | Acquire InfrastructureStage Capabilities
Obtain Capabilities |
| Initial Access | Drive By CompromiseExploiting Public-Facing Application
Phishing External Remote Services Valid Accounts |
| Execution | Command and Scripting InterpreterScheduled Task/Job
User Execution |
| Persistence | Hijack Execution FlowModify Authentication Process
Server Software Component Create or Modify System Process |
| Privilege Escalation | Domain Policy ModificationProcess Injection |
| Defense Evasion | Deobfuscate/Decode Files or InformationIndicator Removal from Host
Signed Binary Proxy Execution |
| Credential Access | Exploitation for Credential Access OS Credential Dumping |
| Discovery | File and Directory DiscoveryPermission Group Discovery
Process Discovery Network Service Scanning Remote System Discovery |
| Lateral Movement | Exploitation of Remote Services |
| Collection | Archive Collected DataClipboard Data
Data Staged Email Collection |
| Command and Control | Application Layer ProtocolIngress Tool Transfer
Non-Standard Port Protocol Tunneling Proxy |
More information can be found in the advisory’s Appendix A.
CISA Recommendations
The joint Cybersecurity Advisory provides the following recommendations for organizations to protect themselves:
Patch systems and equipment promptly and diligently.
Because Chinese state-sponsored threat actors are leveraging publicly-known vulnerabilities to gain initial access into a victim’s network, patch your public-facing systems and focus on vulnerabilities that allow for remote code execution (RCE) or for denial of service (DoS).
Enhance monitoring of network traffic, email, and endpoint systems.
Phishing remains a prominent attack vector for script kiddies and state-sponsored threat actors alike; restrict email attachments and enable URL blocking in your environment. Enhance your organization’s detection capabilities by ensuring your security team and your Managed Detection and Response team have adequate visibility into your organization’s network and endpoints.
Use protection capabilities to stop malicious activity.
The cybersecurity advisory recommends that organizations use anti-virus software, endpoint protection platforms, network intrusion detection and prevention systems, a domain reputation service, enable multi-factor authentication for remote access, and finally implement a strong password policy for service accounts.
What Has Deepwatch Done?
Managed Detection & Response
Deepwatch’s Managed Detection & Response (MDR) service offering deploys numerous detections out of the box, which covers a wide array of tactics and techniques. Deepwatch also leverages our threat intelligence platform to provide up-to-date indicators that feed a variety of threat intelligence-based detections. Deepwatch develops detections and in a way that allows for our rules to catch a variety of threat actors, whether they are state-sponsored or not. Deepwatch also performs detection analysis within our own infrastructure.
For any other concerns around detections and detection strategy as they relate to Chinese state-sponsored threat actors or threat detection in general, please reach out to your CSM who can work with you on the strategy that fits your needs.
Vulnerability Management
Deepwatch’s Vulnerability Management service works with you to build consensus on how vulnerabilities will be identified, prioritized, remediated, and measured. Deepwatch provides patch management advice and prioritization to stop threat actors from exploiting known vulnerabilities to breach networks or to laterally move within networks. Deepwatch also identifies and assists in remediating tactics within the MITRE ATT&CK framework.
Managed Endpoint Detection and Response
Deepwatch’s Endpoint Detection and Response (EDR) security service works to ensure your EDR platform’s detection capabilities are kept up-to-date.
Share