Focusing on end-of-life and unpatched IoT edge devices, several state-sponsored threat groups linked to China have been identified and profiled

Based on five years of incident response and related research on state-sponsored adversaries based in China targeting perimeter devices, unpatched and end-of-life (EOL) devices, a cybersecurity firm has offered its findings to defenders for their reference.

China-linked advanced persistent threat groups (APTs) Volt Typhoon, APT31, and APT41 have been observed to use a series of campaigns with novel exploits and customized malware to embed tools to conduct surveillance, sabotage and cyberespionage as well as overlapping tactics, tools and procedures (TTPs).

The adversaries have been targeting both small and large critical infrastructure and government targets, primarily located in South- and South-east Asia, including nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries.

Key findings

The first incident occurred in Dec 2018, when a low-privileged computer connected to an overhead display in India had autonomously begun suspicious network scanning activities. It was subsequently found to be hosting a novel type of backdoor and a complex rootkit — Cloud Snooper — that could quietly listen for specialized inbound internet traffic. Thereafter:

  • In April 2020, malicious payloads were found to contain Asnarök, attributed to China APT groups, that were being used to compromise physical and virtual firewalls.
  • Enhanced telemetry and monitoring led to an adversary that had demonstrated links to China and Sichuan Silence Information Technology’s Double Helix Research Institute in the Chengdu region.
  • In March 2022, an anonymous security researcher reported a zero-day remote code execution vulnerability, designated CVE-2022-1040. Further investigation revealed that this CVE was already being exploited in the wild in multiple operations. Deeper analysis later showed that the person reporting the exploit may have had a connection to the adversaries.
  • Perimeter devices, unpatched and EOL internet-facing devices, may harbor vulnerabilities if not patched against the latest hardware or related exploits. The reality is that edge devices have become highly attractive targets for Chinese APTs as they look to build operational relay boxes (ORBs) to obfuscate and support their activity. This includes directly targeting an organization for espionage, or indirectly leveraging any weak points for onward attacks.
  • Even organizations that are not targets are getting hit. Network devices designed for businesses are natural targets for these purposes: they are powerful, always on, and have constant connectivity. The China APTs tend to build a global network of ORBs targeting such devices, waiting for zero-day exploits or poorly secured IoT/edge networks.

According to Ross McKerchar, CISO, Sophos, the firm sharing its research: “Recent advisories from CISA have made it clear that Chinese nation-state groups have become a perennial threat to nations’ critical infrastructure. What we tend to forget is that small- and medium- sized businesses are targets since they are often the weak links in such supply chains. Unfortunately, these businesses often have fewer resources to defend against such sophisticated threats. Further complicating matters is the tendency for these adversaries to gain a foothold and dig in, making it hard to evict them. The modus operandi of China-based adversaries is creating long-term persistence and complex obfuscated attacks. They won’t stop until (their entire operations are) disrupted.”