Chinese government-backed hackers are targeting critical infrastructure and government computer systems as part of a yearslong campaign that includes the well-known Salt Typhoon activity, the U.S. and 12 other countries said on Wednesday.
“The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” the allied governments said in a joint advisory.
The China-linked campaign has penetrated organizations in more than 80 countries, including more than 200 targets in the U.S., an FBI spokesperson told Cybersecurity Dive.
The advisory describes the attackers’ techniques, from initial access to data exfiltration; describes an incident in which the hackers tried to decrypt network traffic to collect administrator credentials; suggests strategies for threat hunting; and recommends mitigation activities.
In a sign of how widespread China’s cyberattacks have been, a large roster of U.S. allies joined the FBI, the Cybersecurity and Infrastructure Security Agency, the NSA and the Department of Defense Cyber Crime Center in issuing the advisory. In addition to the other members of the “Five Eyes” intelligence-sharing alliance — Australia, Canada, New Zealand and the U.K. — the governments of the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain also co-issued the warning.
The allied governments “strongly urge network defenders to hunt for malicious activity and to apply the mitigations in this [advisory] to reduce the threat of Chinese state-sponsored and other malicious cyber activity,” they said in the advisory, which includes information from government and industry incident-response investigations of China-linked attacks on enterprise and operational-technology networks.
Multiple Chinese companies have been helping Beijing with its attacks, according to the new advisory, which named three of them: Sichuan Juxinhe Network Technology Co. (which the Treasury Department sanctioned in January for its participation), Beijing Huanyu Tianqiong Information Technology Co. and Sichuan Zhixin Ruijie Network Technology Co.
“We are deeply concerned by the irresponsible behaviour of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale,” Richard Horne, the chief executive of the U.K. National Cyber Security Centre, said in a statement.
By penetrating telecom companies, the Salt Typhoon hackers were able to steal phone-call records, information about court-ordered wiretaps and other sensitive data that could help Beijing pinpoint the locations of people of interest.
“In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals,” John Hultquist, chief analyst at Google’s Threat Intelligence Group, said in a statement. “Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”
The campaign exceeded the boundaries of traditional spying because Beijing allowed the companies working for it to pick targets at will, Brett Leatherman, the assistant director of the FBI’s Cyber Division, told The Washington Post.
“The expectation of privacy here was violated, not just in the U.S., but globally,” Leatherman said. “This shows much more broad, indiscriminate targeting of critical infrastructure across the globe in ways that go well outside the norms of cyberspace operations.”
The advisory provides the most detailed examination yet of the China-backed hackers’ activities, including a partial list of networking products that the intruders targeted.
China-backed hackers “focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers,” the advisory said, but the attackers also penetrate other devices closer to their targets in order to make the final leap into those networks. In addition, the document warned, the hackers “often modify routers to maintain persistent, long-term access to networks.”
The Salt Typhoon hackers have unique familiarity with telecommunications systems that helps them avoid detection, according to Hultquist.
“Many of the highly successful Chinese cyber espionage actors we encounter have deep expertise in the technologies used by their targets,” he said, “giving them an upper hand.”
