Focusing on end-of-life and unpatched IoT edge devices, several state-sponsored threat groups linked to China have been identified and profiled

The first incident occurred in Dec 2018, when a low-privileged computer connected to an overhead display in India had autonomously begun suspicious network scanning activities. It was subsequently found to be hosting a novel type of backdoor and a complex rootkit — Cloud Snooper — that could quietly listen for specialized inbound internet traffic. Thereafter:

  • In April 2020, malicious payloads were found to contain Asnarök, attributed to China APT groups, that were being used to compromise physical and virtual firewalls.
  • Enhanced telemetry and monitoring led to an adversary that had demonstrated links to China and Sichuan Silence Information Technology’s Double Helix Research Institute in the Chengdu region.
  • In March 2022, an anonymous security researcher reported a zero-day remote code execution vulnerability, designated CVE-2022-1040. Further investigation revealed that this CVE was already being exploited in the wild in multiple operations. Deeper analysis later showed that the person reporting the exploit may have had a connection to the adversaries.
  • Perimeter devices, unpatched and EOL internet-facing devices, may harbor vulnerabilities if not patched against the latest hardware or related exploits. The reality is that edge devices have become highly attractive targets for Chinese APTs as they look to build operational relay boxes (ORBs) to obfuscate and support their activity. This includes directly targeting an organization for espionage, or indirectly leveraging any weak points for onward attacks.
  • Even organizations that are not targets are getting hit. Network devices designed for businesses are natural targets for these purposes: they are powerful, always on, and have constant connectivity. The China APTs tend to build a global network of ORBs targeting such devices, waiting for zero-day exploits or poorly secured IoT/edge networks.