Security Experts:

Connect with us

Hi, what are you looking for?



EU Organizations Warned of Chinese APT Attacks

ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.

The European Union Agency for Cybersecurity (ENISA) and CERT-EU are warning of multiple Chinese advanced persistent threat (APT) actors targeting businesses and government organizations in the EU.

The observed malicious activity, the agencies say in a joint advisory (PDF), can be attributed to several known Chinese hacking groups, including APT27, APT30, APT31, Ke3chang, Gallium, and Mustang Panda.

“These threat actors present important and ongoing threats to the European Union. Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organizations of strategic relevance,” the advisory reads.

The ongoing activity, the agencies say, should prompt organizations in the EU to improve their security posture and enhance their ability to detect cyberattacks, as well as their resilience to such attacks.

Cyberattack detection, the agencies say, involves log collection and review, monitoring of device activity and the use of curated threat intelligence and intrusion detection signatures, along with regular threat hunting.

Organizations should also implement strategies to detect and prevent PowerShell-based attacks and lateral movement that abuses NTLM and Kerberos protocols, and should educate users to immediately report any suspicious activity.

To reduce the risks of compromise, organizations are advised to follow security best practices to harden products and protect high-privileged accounts and key assets, and to follow best practices for identity and access management.

Organizations are advised to maintain updated inventories of all assets, both physical and virtual, to block or reduce egress internet access for systems that are rarely rebooted, to implement a backup strategy, and to implement access controls for all end users and external third-party contractors.

Implementing network segmentation, ensuring cloud environments are properly secured, implementing a resilient email policy to block malicious messages, implementing prevention for pass-the-ticket attacks, and educating users and employees on phishing and other threats should also help organizations improve their cyber resilience.

Additionally, organizations should implement an incident response plan that involves assessing the severity of an incident based on impact, and ensure clear communication with internal stakeholders.

When responding to an incident, organizations should assess what triggered an event and its potential impact, collect evidence from impacted systems, use all available telemetry sources, fix the root cause of an attack and ensure the incident is fully contained, and keep a detailed record of all actions taken.

Related: China’s Hacking of European Diplomats Aligns With Russia-Ukraine Conflict

Related: Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT

Related: US Blacklists 6 Chinese Entities Over Balloon Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.