July 21, 2021
The Cybersecurity and Infrastructure Security Agency (CISA) updated the Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department advisory with a caveat providing clarification on the original indicators of compromise (page 7).
July 19, 2021
Today the U.S. government released several advisories describing malicious Chinese state-sponsored cyber activity that has been directed against U.S. and Allied entities, including critical infrastructure organizations. Relatedly, the White House issued a statement calling out China for a "pattern of irresponsible behavior in cyberspace" and the real risks it poses to critical infrastructure in the U.S. and around the world. It also formally attributed the campaign that exploited zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021 to Chinese state-sponsored cyber actors.
Advisories
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) published the advisories to help organizations assess and harden their networks against malicious Chinese state-sponsored cyber actors. The advisories include:
- Chinese State-Sponsored Cyber Operations: Observed TTPs (CISA, NSA, and FBI) - This advisory details various Chinese state-sponsored cyber techniques used to target U.S. and Allied networks. It offers a deep dive into the techniques used.
- Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department (CISA and FBI) - This advisory provides the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) of a Chinese Advanced Persistent Threat (APT) group known in open-source reporting as APT40. This accompanies the U.S. Department of Justice's action today of unsealing indictments against four APT40 cyber actors for their illicit computer network exploitation activities via front company Hainan Xiandun Technology Development Company.
- CISA Insights: Chinese Cyber Threat Overview for Leaders (CISA, FBI, and NSA) - This advisory provides recommendations to public and private sector leaders to reduce the risk of cyber espionage and data theft from Chinese state-sponsored cyber actors. CISA notes that Chinese state-sponsored cyber actors aggressively target U.S. and Allied political, economic, military, educational, and critical infrastructure personnel and organizations to steal sensitive data, emerging and key technology, intellectual property, and personally identifiable information.
Additionally, CISA encourages users and administrators to review the blog post, "Safeguarding Critical Infrastructure against Threats from the People’s Republic of China," by CISA Executive Assistant Director Eric Goldstein and its "China Cyber Threat Overview and Advisories" webpage.
Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity related to the information contained in the advisories to email analyst@waterisac.org, call 866-H2O-ISAC, or use the online incident reporting form.
