The heads of UK and US security services have made an unprecedented joint public appearance at MI5 headquarters in Thames House, London, to warn of the threat from China. Cyber espionage is used heavily by People’s Republic of China (PRC) state-sponsored actors.
Per the BBC, FBI director Christopher Wray warned the audience explicitly that the Chinese government was “set on stealing your technology” using a range of tools. MI5 head Ken McCallum said the challenge posed by the Chinese Communist Party was “game-changing”, while Wray called it “immense” and “breathtaking”.
The MI5 head also said that China deployed cyber espionage to “cheat and steal on a massive scale”, with a hacking program larger than that of every other major country combined. The MI5 head said intelligence about cyber threats had been shared with 37 countries and that in May a sophisticated threat against aerospace had been disrupted.
FBI director Christopher Wray said China was the “biggest long-term threat to our economic and national security” and had interfered in politics, including recent elections.
MI5 head Ken McCallum said his service had more than doubled its work against Chinese activity in the last three years and would be doubling it again. MI5 is now running seven times as many investigations related to activities of the Chinese Communist Party compared to 2018, he added.
He said it posed “an even more serious threat to western businesses than even many sophisticated business people realized”. He cited cases in which people linked to Chinese companies out in rural America had been digging up genetically modified seeds which would have cost them billions of dollars and nearly a decade to develop themselves.
And he pointed to the interference alert issued by Parliament in January about the activities of Christine Lee. He said these types of operations aimed to amplify pro-Chinese communist party voices and silence those that questioned its authority. “It needs to be challenged,” the MI5 head said.
In the US, the FBI director said the Chinese government had directly interfered in a congressional election in New York this spring because they did not want a candidate who was a critic and former protester at Tiananmen Square to be elected. “China has for far too long counted on being everybody’s second-highest priority,” Wray said, adding: “They are not flying under the radar anymore.”
Cybersecurity Advisory AA22-158A on PRC State Sponsored Cyber Actors
Preceding the press conference by just a few weeks, in June 2022, a joint Cybersecurity Advisory (CSA) AA22-158A was co-authored and issued by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI).
This CSA describes the ways in which People’s Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. The advisory details the targeting and compromise of major telecommunications companies and network service providers and the top vulnerabilities which are primarily Common Vulnerabilities and Exposures (CVEs) associated with network devices routinely exploited by the cyber actors since 2020.
PRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.
Earlier NSA Advisories Covered the Use of DNS by PRC State Sponsored Cyber Actors
The timely implementation of patching and updates are part of the mitigation effort recommended by the NSA. The NSA advisory “provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access (T11332) or external web services (T11903) and should be prioritized for immediate patching.
Domain Name System Vulnerability in NSA Advisory
One of the top 25 vulnerabilities identified by the NSA includes CVE-2020-135045. A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka ‘Windows DNS Server Remote Code Execution Vulnerability.’ This vulnerability was first published in the NIST national vulnerability database on 7.14.2020. This impacts Microsoft Windows Server 2008 through 2019.
A Protective DNS Approach to Blocking Threats
90% of malware, including most ransomware, uses DNS at some point in its lifecycle. Users will often click on phishing links, malicious emails, or inadvertently go to a website that may be hosting ransomware – these actions require a DNS lookup before connection. Subsequently, several back and forth communications between the device (which may also now be infected) and the Command & Control destination also happen over DNS.
Threat intelligence, analytics, and machine learning examining DNS activities can block these actions, either by preventing the initial infection or preventing the Command & Control callbacks that could result in the downloads of additional malicious code or encryption software.
In 2021, NSA and CISA also put out a document on selecting a Protective DNS Service that talks about how DNS is central to modern networks and why it can be used as a key defense mechanism against cyberthreats.
Learn more about DNS security here: https://www.infoblox.com/products/bloxone-threat-defense/
To find out more about how Infoblox can help protect your DNS infrastructure, please reach out to us via https://info.infoblox.com/contact-form/.
A June 2021 Gartner report recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.
Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.
Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov or (888) 282-0870.