The UK National Cyber Security Centre (NCSC) and several other international security agencies have issued a new advisory warning the public against Chinese cyber activity targeting critical national infrastructure networks in the US.
According to the document, the People’s Republic of China (PRC)’s associated threat actors employed sophisticated tactics to evade detection while conducting malicious activities. These tactics could also potentially be used on critical infrastructure outside the US.
Read more on China-US cyber relations: China Issues Ban on US Chipmaker Products
The threat actors gained initial access by exploiting public-facing applications, specifically Earthworm and PortProxy.
They then employed various methods to ensure persistence and maintain control over the compromised systems, such as using backdoor web servers with web shells, including the Awen web shell variant, to establish a long-term presence.
To evade detection, the cyber actor adopted several defense evasion techniques, including deleting Windows Event Logs, system logs and other technical artifacts.
The NCSC and other agencies in the US, Australia, Canada and New Zealand further added that the threat actors mainly focused on credential access theft via brute force and password spraying techniques.
The group believed to be behind these attacks was identified by Secureworks as Bronze Silhouette and is described in a separate advisory.
The NCSC advisory provides network defenders with technical indicators and examples of techniques used by the attacker to help identify any malicious activity.
“It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners,” commented Paul Chichester, NCSC Director of Operations.
“We strongly encourage providers of UK essential services to follow our guidance to help detect this malicious activity and prevent persistent compromise.”
The NCSC compiled the advisory alongside the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Federal Bureau of Investigation (FBI).
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS) and the New Zealand National Cyber Security Centre (NCSC-NZ) also contributed to the report.
Its publication comes days after a Trellix advisory warned of escalating cyber warfare activity between Taiwan and China.