Chinese threat actors have been escalating their activities to unprecedented levels, leveraging years of trial-and-error attacks on a large number of edge devices. These threat actors have a clear focus on networking devices, which serve as an entry point into enterprise networks and can be utilized as nodes in botnets. The inherent vulnerabilities of these devices, coupled with their placement on the perimeter of a network, make them prime targets for cyber attackers.
Over time, Chinese APTs have refined their tactics and capabilities when it comes to edge device attacks. Sophos, a leading cybersecurity firm, has observed a progression in the sophistication of these attacks. What started as simple, low-level campaigns evolved into more targeted assaults on specific organizations, showcasing the adaptability and growing expertise of these threat actors.
In December 2018, Sophos analysts uncovered a suspicious device conducting network scans against Cyberoam, a subsidiary of Sophos in India. While the initial attack utilized common malware and tactics, there were indications of a more advanced adversary at play. The attackers employed novel techniques to move from on-premises devices to the cloud, showcasing a higher level of sophistication in their approach. This marked the beginning of a new phase in Chinese cyber warfare strategies.
As Chinese cyber threats continued to evolve between 2020 and 2022, attackers honed in on exploiting vulnerabilities in edge devices on a large scale. The widespread shift to remote work during the COVID-19 pandemic created additional opportunities for threat actors to target devices with Internet-facing portals. Concurrently, regulatory changes in China incentivized researchers to report vulnerabilities to government authorities first, potentially facilitating coordinated cyber campaigns.
Chinese APTs not only sought to compromise devices for direct attacks but also aimed to establish operational relay box networks (ORBs) for launching more complex and untraceable operations. This organizational shift allowed for the integration of compromised devices into broader networks, providing a more sophisticated infrastructure for launching advanced cyber attacks.
In recent years, Chinese threat actors have transitioned to more targeted and deliberate attacks against high-value targets such as government agencies, military contractors, and critical infrastructure providers. These attacks involve a combination of known and zero-day vulnerabilities, advanced malware like UEFI bootkits, and hands-on-keyboard tactics. The cumulative experience gained from years of cyber campaigns has enabled these threat actors to evade traditional cybersecurity defenses and maintain stealthy persistence in their operations.
As Sophos CISO Ross McKerchar notes, the evolution of Chinese cyber threats has been marked by a progression towards increasingly covert and sophisticated attack techniques. From the early days of conspicuous malware to the current use of rootkits, bootkits, and other advanced tactics, Chinese APTs have continually raised the bar in cyber warfare. The relentless pursuit of improvement suggests that these threat actors will continue to refine their capabilities, posing a persistent challenge to cybersecurity professionals worldwide.