Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Hackers Using Publicly Available Resources in Attacks on U.S. Government

Threat actors affiliated with the Chinese Ministry of State Security (MSS) continue to target U.S. government agencies, the Cybersecurity and Infrastructure Security Agency (CISA) says in a new alert.

Threat actors affiliated with the Chinese Ministry of State Security (MSS) continue to target U.S. government agencies, the Cybersecurity and Infrastructure Security Agency (CISA) says in a new alert.

Published with contribution from the FBI, the alert presents some of the tactics, techniques, and procedures (TTPs) that the Chinese state-sponsored hackers are employing in attacks on the U.S., such as the heavy use of publicly available tools to hinder attribution.

CISA’s alert arrives a couple of months after the U.S. indicted two Chinese hackers for the targeting of organizations in the defense, high-tech manufacturing, engineering, software (business, educational, and gaming), solar energy, and pharmaceuticals sectors for more than ten years.

According to CISA, threat actors affiliated with the Chinese MSS use open-source information in the planning stage of their operations, and engage target networks leveraging readily available exploits and toolkits.

Over the past 12 months, CISA says, the hackers were observed leveraging the Common Vulnerabilities and Exposure (CVE) database, the National Vulnerabilities Database (NVD), Shodan, and other information sources to identify vulnerable targets, understand specific security issues, and discover exploitable systems.

“While using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations,” CISA reveals.

The adversaries are continuously targeting, scanning, and probing for significant vulnerabilities and they often use the same security flaws to compromise multiple organizations in different industries, mainly due to the lack of quick mitigation of known issues.

Some of the most recent security bugs targeted by Chinese hackers are CVE-2020-5902 (vulnerability in F5 Big-IP), CVE-2019-19781 (bug in Citrix VPN appliances), CVE-2019-11510 (arbitrary file read issue in Pulse Secure VPN servers), and CVE-2020-0688 (remote code execution on Microsoft Exchange Server).

The threat actors, CISA also says, have the ability to “build and maintain relatively low-complexity capabilities” in support of attacks on federal government networks. They also employ commercial and open-source tools for these operations, including the Cobalt Strike implant, the China Chopper web shell, and the open-source credential harvesting tool Mimikatz.

CISA also notes that the adversaries continue to use low-complexity attack vectors, such as spear-phishing emails, misconfigurations, and the lack of a patch management program, to abuse common vulnerabilities.

The agency also reveals that it has observed beaconing activity on government networks compromised by Chinese actors, brute-force attacks leveraging credentials available on the Internet, suspicious network scanning activity for ports on target networks, and the targeting of CVE-2020-0688 “to collect emails from the exchange servers found in Federal Government environments.”

External proxy tools or hop points, such as commercial infrastructure as a service (IaaS) or software as a service (SaaS) products – such as the Tor browser – are also employed by the Chinese hackers. In one instance, CISA observed a network proxy tool targeting 221 unique government agency IP addresses.

“CISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information,” CISA notes.

Thus, entities at risk are advised to apply patches for known vulnerabilities as soon as possible, as well as to routinely conduct security audits of their configurations and patch management process, to make sure they are not exposed and that threats can be easily mitigated.

Related: U.S. Indicts Two Chinese Nationals for Hacking Hundreds of Organizations

Related: Chinese Hackers Target Europe, Tibetans With ‘Sepulcher’ Malware

Related: U.S. Attributes Taidoor Malware to Chinese Government Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...