This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9, and MITRE D3FEND™ framework, version 0.9.2-BETA-3. See the ATT&CK for Enterprise for all referenced threat actor tactics and
techniques and the D3FEND framework for referenced defensive tactics and techniques. The National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political,
economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China’s long-term economic and military development objectives. This Joint
Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis. To increase the defensive posture of their critical networks and
reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. Note: NSA, CISA, and FBI encourage organization leaders to review CISA Joint
Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders for information on this threat to their organization. Click here for a PDF version of this report. NSA, CISA, and FBI have observed increasingly sophisticated
Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis: Acquisition of Infrastructure and Capabilities. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community’s practices. These actors
take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools. Exploitation of Public Vulnerabilities. Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure,
Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see: CISA-FBI Joint CSA AA20-133A: Top 10 Routinely Exploited Vulnerabilities, CISA Activity Alert: AA20-275A: Potential for China Cyber
Response to Heightened U.S.-China Tensions, and NSA CSA U/OO/179811-20: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities. Encrypted Multi-Hop Proxies. Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS
as well as small office and home office (SOHO) devices as operational nodes to evade detection. Chinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored
cyber actors. A downloadable JSON file is also available on the NSA Cybersecurity GitHub page. Refer to Appendix A: Chinese State-Sponsored Cyber Actors’ Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations. Figure 1: Example of tactics and techniques used in various cyber operations. MitigationsNSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:
ResourcesRefer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ for previous reporting on Chinese state-sponsored malicious cyber activity. Disclaimer of EndorsementThe information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. PurposeThis document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including
their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. Trademark RecognitionMITRE and ATT&CK are registered trademarks of The MITRE Corporation. • D3FEND is a trademark of The MITRE Corporation. • Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. • Pulse Secure is a registered trademark of Pulse Secure, LLC. • Apache is a registered trademark of Apache Software Foundation. • F5 and BIG-IP are registered trademarks of F5 Networks. • Cobalt Strike is a registered trademark of Strategic Cyber LLC. • GitHub is a registered trademark of GitHub, Inc. • JavaScript is a registered trademark of Oracle Corporation. • Python is a registered trademark of Python Software Foundation. • Unix is a registered trademark of The Open Group. • Linux is a registered trademark of Linus Torvalds. • Dropbox is a registered trademark of Dropbox, Inc. APPENDIX A: Chinese State-Sponsored Cyber Actors’ Observed ProceduresNote: D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques. Tactics: Reconnaissance [TA0043]Table 1: Chinese state-sponsored cyber actors’ Reconnaissance TTPs with detection and mitigation recommendations
Tactics: Resource Development [TA0042]Table II: Chinese state-sponsored cyber actors’ Resource Development TTPs with detection and mitigation recommendations
Tactics: Initial Access [TA0001]Table III: Chinese state-sponsored cyber actors’ Initial Access TTPs with detection and mitigation recommendations
Tactics: Execution [TA0002]Table IV: Chinese state-sponsored cyber actors’ Execution TTPs with detection and mitigation recommendations
Tactics: Persistence [TA0003]Table V: Chinese state-sponsored cyber actors’ Persistence TTPs with detection and mitigation recommendations
Tactics: Privilege Escalation [TA0004]Table VI: Chinese state-sponsored cyber actors’ Privilege Escalation TTPs with detection and mitigation recommendations
Tactics: Defense Evasion [TA0005]Table VII: Chinese state-sponsored cyber actors’ Defensive Evasion TTPs with detection and mitigation recommendations
Tactics: Credential Access [TA0006]Table VIII: Chinese state-sponsored cyber actors’ Credential Access TTPs with detection and mitigation recommendations
Tactics: Discovery [TA0007]Table IX: Chinese state-sponsored cyber actors’ Discovery TTPs with detection and mitigation recommendations
Tactics: Lateral Movement [TA0008]Table X: Chinese state-sponsored cyber actors’ Lateral Movement TTPs with detection and mitigation recommendations
Tactics: Collection [TA0009]Table XI: Chinese state-sponsored cyber actors’ Collection TTPs with detection and mitigation recommendations
Tactics: Command and Control [TA0011]Table XII: Chinese state-sponsored cyber actors’ Command and Control TTPs with detection and mitigation recommendations
Appendix B: MITRE ATT&CK FrameworkFigure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors (Click here for the downloadable JSON file.) Contact InformationTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at . When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at . For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or . Media Inquiries / Press Desk: ReferencesRevisionsPlease share your thoughts. We recently updated our anonymous product survey; we'd welcome your feedback. |