informa
2 min read
article

China-Sponsored Cyberattackers Target Networking Gear to Build Widespread Attack Infrastructure

Compromised routers, VPNs, and NAS devices from Cisco, Citrix, Pulse, Zyxel, and others are all being used as part of an extensive cyber espionage campaign.

State-sponsored cyberattackers affiliated with China are actively building out a large network of attack infrastructure by compromising targets in the public and private spheres.

According to a joint alert from Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI, the attackers are targeting major telecom companies and network service providers with a set of exploits for known vulnerabilities in a variety of routers, VPNs, and other networking gear, as well as network-attached storage (NAS) devices.

The network devices are then being used as additional access points to route command-and-control (C2) traffic and act as midpoints to carry out network intrusions on other entities, according to the alert — all bent on stealing sensitive information.

The cyberattackers "typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based IP addresses resolving to different Chinese ISPs," the Feds noted. "The cyber-actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber-actors [also] use these hop points as an obfuscation technique when interacting with victim networks."

On the obfuscation front, CISA said it has observed the groups monitoring network defenders' accounts and actions, modifying their ongoing campaign as needed to remain undetected.

The groups also "often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network."

Commonly exploited bugs used by China-linked threat actors.
Commonly exploited bugs used by China-linked threat actors. (Source: NSA/CISA/FBI)

To avoid compromise, users should apply available patches, disable unnecessary ports and protocols, and replace end-of-life infrastructure, the agencies noted.