New cyber operations in key sectors: Historically, Chinese cyberespionage groups have predominantly targeted organizations from the government, technology, and telecommunications sectors and that continued in 2024. Government orgs were a target for China-linked threat actors in virtually all regions of the world, and Salt Typhoon, a cyber unit tied to China’s MSS, made headlines in recent months after compromising major telecom and ISP networks in the US, with this type of targeting also common in Asia and Africa.But it was financial services, media, manufacturing, industrials, and engineering that saw the biggest surges in China-linked intrusions last year, 200-300% growth rates compared to 2023. Overall, the number of intrusions and new Chinese cyberespionage groups grew across the board.Three Chinese groups that CrowdStrike tracks as Liminal Panda, Locksmith Panda, and Operator Panda seem specialized in targeting and compromising telecommunications entities.Liminal Panda in particular has demonstrated extensive knowledge of telecom networks and how to exploit interconnections between providers to move and initiate intrusions across various regions. Locksmith Panda seems more focused on Indonesia, Taiwan, and Hong Kong, with targeting that is more broad, extending to technology, gaming, and energy companies, as well as democracy activists.Operator Panda, which seems to be CrowdStrike’s name for the group known as Salt Typhoon, specializes in exploiting internet-facing appliances such as Cisco switches. In addition to telecom operators, the group has also targeted professional services firms.Vault Panda and Envoy Panda are two groups that target government entities, but whereas Vault Panda is broad in its targeting, also going after financial services, gambling, technology, academic, and defense organizations, Envoy Panda seems focused on diplomatic entities, especially from Africa and the Middle East.Vault Panda has used many malware families shared by Chinese threat actors, including KEYPLUG, Winnti, Melofee, HelloBot, and ShadowPad. The group regularly exploits vulnerabilities in public-facing web applications to gain initial access. Meanwhile Envoy Panda is known for its use of Turian, PlugX, and Smanager. PlugX, aka Korplug, is one of the oldest remote access trojans used by China-linked cyberespionage groups, with original versions dating back to 2008.Another commonly shared resource between Chinese threat groups are so-called ORB (Operational Relay Box) networks that consist of thousands of compromised IoT devices and virtual private servers that are used to route traffic and conceal espionage operations. These networks are similar to botnets, but are primarily used as proxies, and are often administered by independent contractors that are based in China. They complicate attribution due to the often short-lived nature of the IP addresses of the nodes being used.”Despite law enforcement attempts to disrupt the ORB networks, China-nexus adversaries continue to use these resources as a key part of their operations,” the CrowdStrike researchers wrote.
Better identity management and adversary-centric patching: Some of most common intrusion methods last year were compromised credentials, misconfigurations, and unpatched vulnerabilities in public-facing assets, whether web applications or network appliances.Simply relying on multi-factor authentication is not enough to prevent complex breaches that rely on social engineering and impersonation to exploit existing relationships. Organizations need to use conditional access policies, regularly review account activity, and monitor for signs of unusual user behavior that could indicate a compromised account.Furthermore, attackers are quick to adopt new techniques and proof-of-concept exploits from technical blogs and combine them in multi-stage attack chains. Vulnerabilities in internet-facing systems should be prioritized, as well as flaws that have publicly known exploits or are known to be actively exploited by threat groups targeting your industry, even if they don’t have the highest severity scores.”Monitoring for subtle signs of exploit chaining, such as unexpected crashes or privilege escalation attempts, can help detect attacks before they progress,” the researchers wrote.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3838331/chinese-cyber-espionage-growing-across-all-industry-sectors-2.html
