Chinese hackers targeting critical US infrastructure and businesses

Published: July 27, 2021, 11:30am

Russian state-sponsored attacks aren’t the only nation-state threat targeting U.S. businesses. News reports surfaced last week of Chinese state-sponsored attacks on multiple industries, including critical U.S. infrastructure.

U.S. pipelines under attack

In a joint advisory issued by the Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) last week, U.S. businesses and critical infrastructure were warned of at least 23 attacks on U.S. oil and natural gas pipelines by state-sponsored Chinese threat actors. Thirteen of these attacks resulted in the successful compromise of systems, three were near misses, and seven resulted in an ‘unknown depth of intrusion.’ CISA and the FBI attribute the motives to putting U.S. pipeline infrastructure at risk, damaging pipelines, disrupting pipeline operations, and to helping China develop additional cyberattack capabilities against U.S. pipeline facilities.

Some of the attacks began as early as December 2011, with spearphishing activity targeting pipeline employees. Tactics, techniques, and procedures (TTPs) also included social engineering to gain sensitive information, phone call requests for information on network security practices. The Chinese hackers also collected and exfiltrated industrial control information and searched document repositories for such information as “SCAD,” personnel lists, usernames/passwords, and system manuals.

U.S. and allies make it official: Yes, China was behind the Microsoft Exchange attacks

Last week, the United States and the European Union, United Kingdom and NATO issued a statement officially blaming China for the extensive attacks on Microsoft Exchange infrastructure.

The White House issued a statement last week, attributing the attack activity to the People’s Republic of China (PRC) with a high degree of certainty, suggesting the Chinese government conducted cyber-espionage operations utilizing multiple zero-day vulnerabilities disclosed by Microsoft in March 2021. The attacks resulted in PRC government-affiliated threat actors engaging in ransomware attacks against private organizations, with ransom demands in the millions.

In conjunction with the White House announcement, the National Security Agency (NSA), along with CISA and the FBI issued a joint Cybersecurity Advisory describing more than 50 TTPs commonly used by Chinese state-sponsored attackers.

Next Steps

The U.S. government and cybersecurity professionals are urging the energy sector and other businesses to apply these and other mitigations to help prevent further attacks:

• Implement a layered, defense-in-depth cybersecurity posture.
• Harden the IT/corporate network to reduce the risk of initial compromise.
• Patch bugs/vulnerabilities and update software, operating systems and firmware immediately upon release of fixes or software updates.
• Replace all end-of-life software and hardware devices.
• Restrict and manage remote access software.
• Use multi-factor authentication (MFA).
• Manage and limit or restrict access to networks and remote capabilities.
• Enable strong spam filters to prevent phishing emails.
• Implement an anti-phishing training program.

(Additional details on the recommendations can be found in the above link to CISA.)