Hackers Connected to China Have Compromised U.S. Government Systems, CISA says

Instead of spending resources building new malware tools, sophisticated cyber actors, including those affiliated with China’s Ministry of State Security, are using known vulnerabilities and open-source exploits and have infiltrated federal government entities, according to the Cybersecurity and Infrastructure Security Agency.

“CISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks,” reads an advisory the agency released Monday along with the FBI. CISA, housed within the Homeland Security Department, is responsible for overseeing cybersecurity across the nation.

The advisory lists tactics, techniques and procedures employed by Chinese MSS-affiliated cyber actors that CISA has observed over the past year. They include how the Chinese government affiliates—and other cyber actors of varying levels of sophistication—are able to gain initial access, collect and store credentials, select targets and gather information, and build capabilities by establishing command and control within a compromised system.   

“This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools,” the advisory states. “CISA observed activity from a Federal Government IP address beaconing out to the threat actors’ [command and control] server.”

CISA warns sophisticated cyber threat actors are using public resources such as the national database of vulnerabilities maintained by the National Institute of Standards and Technology to hone their targets. Vulnerability databases, along with open source tools such as Shodan—an internet search engine penetration testers use to see vulnerable internet connected devices—are legitimate tools for defenders, CISA notes, but in the same vein, they can be exploited by attackers.

“While using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the [Common Vulnerabilities and Exposures] database, the [National Vulnerability Database], and other open-source information to identify targets of opportunity and plan cyber operations.” 

CISA said it identified traffic indicating Chinese MSS-affiliated threat actors attempting to exploit a certain vulnerability within weeks of it being publicly reported, and adversaries generally appear to be faster at taking advantage of weaknesses than defenders—government and commercial—are at fixing them.

“In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors,” CISA said. “Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them.”

CISA and the FBI recommended agencies check for mistakes in their system configurations and prioritize patching vulnerabilities typically exploited by the Chinese MSS-affiliated actors for layered security benefits.  

“Widespread implementation of robust configuration and patch management programs would greatly increase network security,” the advisory reads. “It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.”