Cybersecurity insights from industry experts.

A Frontline Report of Chinese Threat Actor Tactics and Techniques

Threat intel experts see a reduced focus on desktop malware as threat groups prioritize passwords and tokens that let them access the same systems as remote workers.

Microsoft Security, Microsoft

October 11, 2023

3 Min Read
Image of chinese flag overlaid on digital background of zeroes and ones with a 3d outline of the globe
Source: Klaus Ohlenschlaeger via Alamy Stock Photo

Every day more than 8,000 Microsoft threat intelligence experts, researchers, analysts, and threat hunters analyze trillions of daily signals to uncover emerging threats and deliver timely, relevant security insights. 

While a good portion of this work is dedicated to threat actors and the infrastructure that enables them, we also focus on nation-state groups to contextualize their activities within the broader scope of geopolitical trends. This is critical in uncovering the "why" behind criminal activity, as well as preparing and protecting vulnerable audiences who may become the target of future attacks.

Read on to learn more about how Chinese nation-state tactics, techniques and procedures (TTPs) and threat activity have evolved over time.

Adapting Is the Name of the Game

As with most global industry sectors, COVID-19 led to a number of changes within the Chinese cyber-espionage landscape. The near-overnight shift in the number of employees working from their offices to their individual homes meant companies had to enable remote access to sensitive systems and resources that were previously restricted to corporate networks. In fact, one study found that telework jumped from 5% to 50% of paid US work hours between April and December 2020. Threat actors took advantage of this change by attempting to blend in with the noise, masquerading as remote workers in order to access these resources.

Additionally, because enterprise access policies had to be deployed so quickly, many organizations didn't have adequate time to research and review best practices. This created a gap for cybercriminals, enabling them to exploit system misconfigurations and vulnerabilities. 

As a consequence of this trend, Microsoft threat intelligence experts are seeing fewer instances of desktop malware. Instead, threat groups appear to be prioritizing passwords and tokens that enable them to access sensitive systems used by remote workers.

For example, Nylon Typhoon (formerly NICKEL) is one of the many threat actors that Microsoft tracks. Originally founded in China, Nylon Typhoon leverages exploits against unpatched systems to compromise remote access services and appliances. Once the nation-state actor achieves a successful intrusion, it uses credential dumpers or stealers to obtain legitimate credentials, access victim accounts, and target higher-value systems. 

Recently, Microsoft observed a threat group believed to be Nylon Typhoon conducting a series of intelligence collection operations against China's Belt and Road Initiative (BRI). As a government-run infrastructure project, this incident activity likely straddled the line between traditional and economic espionage.

Common TTPs Deployed by Chinese Nation-State Groups

One significant trend that we've observed coming out of China is the shifting focus from user endpoints and custom malware to concentrated resources that exploit edge devices and maintain persistence. Threat groups successfully using these devices to gain network access can potentially remain undetected for a significant period of time.

Virtual private networks (VPNs) are one significant target. Although organizations have begun to implement more stringent security measures, such as tokens, multifactor authentication, and access policies, cybercriminals are adept at navigating these defenses. VPNs are an attractive target because, when compromised successfully, they eliminate the need for malware. Instead, threat groups can simply grant themselves access and log in as any user.

Another rising trend is the use of Shodan, Fofa, and similar databases that scan the Internet, catalog devices, and identify different patch levels. Nation-state groups will also conduct their own Internet scans to uncover vulnerabilities, exploit devices, and, ultimately, access the network. 

This means organizations have to do more than just device patching. An effective solution involves inventorying your Internet-exposed devices, understanding your network perimeters, and cataloging device patch levels. Once that has been achieved, organizations can focus on establishing a granular logging capability and monitoring for anomalies.

As with all cybersecurity trends, nation-state activity is ever-evolving, and threat groups are growing more sophisticated in their attempts to compromise systems and enact damage. By understanding the attack patterns of these nation-state groups, we can better prepare ourselves to defend against future threats.

— Read more Partner Perspectives from Microsoft Security.

Read more about:

Partner Perspectives

About the Author(s)

Microsoft Security


Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights