The Cybersecurity and Infrastructure Security Agency (CISA) put out Alert AA20-275A on 10.1.2020 on the Potential for China Cyber Response to Heightened U.S. – China Tensions. The genesis of the alert is increasing tensions between the United States and China. The alert declares that “China has a history of using national military and economic resources to leverage offensive cyber tactics in pursuing its national interests.”
The “Made in China 2025” 10-year plan defines some of China’s policy priorities. Per the CISA alert, China may seek to target industries that are core to U.S. interests. These industries include new energy vehicles (electric, fuel cell, hydrogen, etc.), next-generation information technology (IT), biotechnology, new materials, aerospace, maritime engineering and high-tech ships, railway, robotics, power equipment, and agricultural machinery.
The U.S. intelligence community and various private industry organizations have repeatedly identified the Chinese People’s Liberation Army (PLA) and the Ministry of State Security (MSS) as behind a history of Chinese state-sponsored cyberattacks. There are examples of the PLA and the MSS managing these attacks directly and using designated proxy contractors in the Chinese business community.
Many Years of Documented Malicious Activity
These Chinese Government-sponsored malicious activities have gone on for years. In 2014, the Zombie Zero¹ supply-chain attack targeted shipping and logistics firms by implanting malware in brand new scanner hardware manufactured in China. Once a particular supply chain was compromised, the perpetrators could make orders in the database appear and disappear at will. In Zombie Zero, a Chinese government-sponsored private industry contractor embedded all newly manufactured scanner hardware with malicious firmware. The malware allowed the setup of command and control directly to the supply chain software. This allowed the threat actors to track virtually all shipments to and from each of the organizations compromised by these devices.
The CISA alert cites other examples of the very long history of Chinese threat actors involved with much offensive cyber activity. Those mentioned in the CISA alert include:
- February 2013 – Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to China. This comprehensive report publicly exposed APT1 as part of China’s military cyber operations and a multi-year effort that exfiltrated IP from roughly 141 companies spanning 20 major industries. A year later, the DOJ indicted Chinese cyber threat actors assigned to PLA Unit 61398 for the first time (also highlighted in the report).
- April 2017 – Chinese APTs Targeting IP in 12 Countries. CISA announced that Chinese state-backed APTs carried out a multi-year cyber-enabled IP theft campaign that targeted global technology service providers and their customers. The threat actors leveraged stolen administrative credentials (local and domain). They placed sophisticated malware on critical systems to steal companies’ IP and sensitive data in at least 12 countries.
- December 2018 – Chinese Cyber Threat Actors Indicted for Compromising Managed Service Providers (MSPs). DOJ indicted two Chinese cyber threat actors believed to be associated with APT10, who targeted MSPs and their large customer base through phishing and spear-phishing campaigns aimed at exfiltrating sensitive business data and, possibly, PII.
- February 2020 – China’s Military Indicted for 2017 Equifax Hack. DOJ indicted members of China’s PLA for stealing large amounts of PII and IP. The Chinese cyber threat actors exploited a vulnerability in the company’s dispute resolution website to enter the network, conduct reconnaissance, upload malware, and steal credentials to extract the targeted data. The breach impacted roughly half of all American citizens and stole Equifax’s trade secrets.
- May 2020 – China Targets COVID-19 Research Organizations. The Federal Bureau of Investigation (FBI) and CISA reported the targeting and compromise of U.S. organizations conducting COVID-19-related research by cyber actors affiliated with China. Large-scale password spraying campaigns were a commonly observed tactic in illicitly obtaining IP related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.
DNS Compromise is a Key Attacker Technique
The CISA Alert references key threat actor pre-attack techniques using the MITRE ATT&CK framework. Pre-attack techniques involve reconnaissance, staging, and testing before the execution of an attack. The identified Chinese threat actors have been found to use the MITRE ATT&CK Technique ID: T1326², Domain Registration Hijacking. Domain registration hijacking involves changing the registration of a domain name without the permission of the original registrant. This technique was used explicitly by the APT1 threat group, which is attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, known by the Military Unit Cover Designator (MUCD) as Unit 61398.
The CISA Alert also references enterprise-class MITRE ATT&CK techniques. CISA calls out the use of MITRE ATT&CK technique DNS T1071.004³. This is part of the command and control tactic set and specifically involves hidden communications by threat actors using the Domain Name System (DNS) application protocol. The goal is to avoid detection/network filtering by blending in with existing traffic. Command and control dialog with remote entities, and the results of those commands, are hidden and embedded in DNS protocol traffic between the client and server. DNS tunneling allows adversaries to use DNS to communicate with systems through the victim’s network, hidden within the normal and expected traffic.
Attackers use DNS Tunneling to encode the data of other programs or protocols in DNS communication activity. DNS tunneling may include data payloads added to an attacked DNS server and used to control a remote server and applications. DNS tunneling requires the compromised system to have external network connectivity, as DNS tunneling requires access to an internal DNS server with network access. Hackers must also control a domain and a server that can act as an authoritative server to execute the server-side tunneling and data payload executable programs.
Protecting DNS with Foundational Security
BloxOne Threat Defense uses behavior analytics combined with machine learning to perform real-time analysis of incoming DNS queries, including entropy, n-gram, lexical, size, and frequency analysis to detect DNS tunnels. Threat Insight, the component in BloxOne Threat Defense that does this, also reduces false positives by detecting benign usage of DNS tunnels. DNS tunneling can be detected with two important methods—using threat intelligence to find known tunnels (for example, known malicious IPs and known bad domains) or using behavior-based analytics to detect known or previously unknown methods of DNS tunneling. The Infoblox solution uses both methods to uncover previously unknown attacks. Other solutions mostly use only threat intelligence methods, limiting their ability to identify and catch new attacks.
DNS based-controls also gives you scalable web and content filtering and can reduce your overall threat defense costs. BloxOne detects and blocks phishing, exploits, ransomware, and other malware, and it can also protect the modern workforce, including remote workers, from accessing objectionable or dangerous content.
BloxOne also provides deep visibility into compromised devices or potential insider threats by giving detailed information such as device type, IP address, MAC address, and, most importantly, the user associated with the device trying to exfiltrate data. This greatly reduces the time to identify and remediate threats. Security teams can be more productive, identify threats faster, and reduce the risk of a potential breach.
Learn more about DNS security here:
https://www.infoblox.com/products/bloxone-threat-defense/
Learn more about preventing DNS-based data exfiltration – check out this solution note:
If you want to know more, please reach out to us directly via https://info.infoblox.com/contact-form.
¹https://www.forbes.com/sites/kurtmarko/2014/07/10/trojan-hardware-spreads-apts/#4082b0942536
²https://attack.mitre.org/techniques/T1326/
³https://attack.mitre.org/techniques/T1071/004/
