Cybersecurity firm Sophos has detailed evolving tactics by Chinese advanced persistent threat (APT) groups following five years of collecting telemetry on campaigns targeting its customers.
Working with other cybersecurity vendors, governments and law enforcement agencies, the researchers were able to attribute specific clusters of observed activity from December 2018 to November 2023 to the groups Volt Typhoon, APT31 and APT41/Winnti.
A notable shift from widespread, indiscriminate attacks towards narrow targeting of high value organizations was observed over the period.
Sophos assessed with high confidence that exploits developed by the threat actors were shared with multiple Chinese state-sponsored frontline groups, which have differing objectives, capabilities, and post-exploitation tooling.
The analysis was conducted in response to calls from the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) for technology developers to provide transparency around the scale of exploitation of edge network devices by state-sponsored adversaries.
“In the interests of our collective resilience, we encourage other vendors to follow our lead,” Sophos wrote in a blog dated October 31, 2024.
Chinese Cyber Campaigns Evolution
The researchers noted that over the five-year period, the threat actors shifted their focus from indiscriminate widespread attacks to stealthier operations against specific high-value and critical infrastructure targets.
Read now: Canadian Government Data Stolen By Chinese Hackers
“Noisy” Indiscriminate Attacks
The first activity highlighted took place in December 2018, and involved the targeting of the headquarters of Cyberoam, an India-based Sophos subsidiary.
The attackers successfully installed a remote access trojan (RAT) on a low-privilege computer used to drive a wall-mounted video display in the Cyberoam offices. This was done by utilizing a previous unseen and complex rootkit dubbed Cloud Snooper and a novel technique to pivot into cloud infrastructure by leveraging a misconfigured Amazon Web Services (AWS) Systems Manager Agent (SSM Agent).
Sophos assess with high confidence that this attack was an initial Chinese effort to collect intelligence to aid in the development of malware targeting network devices.
The next cluster of Chinese threat activity detailed in the study was comprised of multiple campaigns designed to discover and then target publicly reachable network appliances.
Starting in early 2020 and continuing through much of 2022, the attackers exploited a series of previously unknown vulnerabilities they had discovered, and then operationalized, targeting WAN-facing services.
These exploits enabled the adversary to retrieve data stored on the comprised devices and deliver payloads insider the device firmware.
These “noisy” attacks were linked to a research community centered around educational establishments in Chengdu, China, which is believed to be conducting vulnerability research and sharing their findings with vendors and other entities associated with the Chinese government.
Sophos added information to allow further location tracking of hackers within these educational establishments. These are named as Sichuan Silence Information Technology and the University of Electronic Science and Technology of China.
Shift to Targeting Specific Entities
The researchers observed that in mid-2022, the attackers shifted their focus to highly targeted attacks against high value entities. These included government agencies, critical infrastructure management groups research and development organizations and healthcare providers primarily located in the Indo-Pacific region.
These attacks utilized diverse tactics, techniques and procedures (TTPs), and tended to favor manually executed commands and the running of malware on compromised devices over automation.
Sophos said that a variety of stealthy persistence techniques were developed and utilized throughout these attacks, such as a custom, fully featured userland rootkit.
CVE exploitation was the most common initial access vector used in these attacks, although cases of initial access using valid administrative credentials from the LAN side of the device were also observed.
Malicious Activity Getting Harder to Detect
Another trend highlighted in the analysis was the increasing effectiveness of the Chinese attackers at hiding their activities from immediate discovery.
This involved various methods of blocking telemetry being sent from compromised devices to Sophos, designed to prevent the firm getting
For example, the threat actors discovered and blocked telemetry-gathering on their own test devices after Sophos X-Ops utilized that capability to collect data on exploits while they were being developed.
Sophos added that the trail of data it could follow with open-source intelligence practices shrank considerably in later attacks due to improvements in the operational security practices of exploit developers.
“The adversaries appear to be well-resourced, patient, creative, and unusually knowledgeable about the internal architecture of the device firmware. The attacks highlighted in this research demonstrate a level of commitment to malicious activity we have rarely seen in the nearly 40 years of Sophos’ existence as a company,” the researchers said.