The European Union Agency for Cybersecurity (ENISA) and CERT-EU are warning of multiple Chinese advanced persistent threat (APT) actors targeting businesses and government organizations in the EU.
The observed malicious activity, the agencies say in a joint advisory (PDF), can be attributed to several known Chinese hacking groups, including APT27, APT30, APT31, Ke3chang, Gallium, and Mustang Panda.
“These threat actors present important and ongoing threats to the European Union. Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organizations of strategic relevance,” the advisory reads.
The ongoing activity, the agencies say, should prompt organizations in the EU to improve their security posture and enhance their ability to detect cyberattacks, as well as their resilience to such attacks.
Cyberattack detection, the agencies say, involves log collection and review, monitoring of device activity and the use of curated threat intelligence and intrusion detection signatures, along with regular threat hunting.
Organizations should also implement strategies to detect and prevent PowerShell-based attacks and lateral movement that abuses NTLM and Kerberos protocols, and should educate users to immediately report any suspicious activity.
To reduce the risks of compromise, organizations are advised to follow security best practices to harden products and protect high-privileged accounts and key assets, and to follow best practices for identity and access management.
Organizations are advised to maintain updated inventories of all assets, both physical and virtual, to block or reduce egress internet access for systems that are rarely rebooted, to implement a backup strategy, and to implement access controls for all end users and external third-party contractors.
Implementing network segmentation, ensuring cloud environments are properly secured, implementing a resilient email policy to block malicious messages, implementing prevention for pass-the-ticket attacks, and educating users and employees on phishing and other threats should also help organizations improve their cyber resilience.
Additionally, organizations should implement an incident response plan that involves assessing the severity of an incident based on impact, and ensure clear communication with internal stakeholders.
When responding to an incident, organizations should assess what triggered an event and its potential impact, collect evidence from impacted systems, use all available telemetry sources, fix the root cause of an attack and ensure the incident is fully contained, and keep a detailed record of all actions taken.
Related: China’s Hacking of European Diplomats Aligns With Russia-Ukraine Conflict
Related: Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT
Related: US Blacklists 6 Chinese Entities Over Balloon Program