The National Security Agency (NSA) issued a cybersecurity advisory warning that Chinese state-sponsored actors have increased their attacks on American companies, including those that work closely with the U.S. government. The NSA warned that one of the great threats to the U.S. National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and even the Department of Defense (DoD) information networks remains hackers in China who work at the behest of Beijing.
The same process for planning the exploitation of a computer network that is used by sophisticated cyber criminals for profit is being used by Chinese-sanctioned hackers. The same types of efforts are employed, and this often involves identifying a target, gathering technical information, identifying any vulnerabilities, developing or even re-using an exploit to access those vulnerabilities, and then launching the attack.
“This warning highlights the trend of nation-state actors expanding their focus, from the .gov and .mil domains to prioritizing the exploitation of companies in the defense industrial base or with any connection to U.S. government data,” said John Dermody, counsel in the Washington, D.C., office of international law firm O’Melveny & Myers and member of the firm’s Data Security & Privacy Group, in an email to ClearanceJobs.
“Hackers can now choose from a menu of readily-deployable malware, already-developed access to victims, network exploitation services, and post-breach monetization services,” added Dermody. “This has resulted in entrepreneurial cyber-actors going out and developing access to a broad scope of companies and offering to sell it to the highest bidder, whether that be cyber criminals or nation states.”
The Top 25 Vulnerabilities
Along with its warning, the NSA published an in-depth report that detailed the top 25 vulnerabilities that are currently being scanned, targeted, and exploited. All of these bugs are actually well known, and they all have patches. However, because of the continued targeting of these exploits, the NSA has called greater attention and highlighted the need to address these vulnerabilities as soon as possible.
“The NSA advisory identified 25 known vulnerabilities that state or state-sponsored attackers from China are known to actively use, or have scanned for,” explained cybersecurity expert Saryj Nayya, CEO of Gurucul. “It’s important to realize that this list is only the ones they know of. These attackers have considerable resources that they can, and do, dedicate to finding and developing attacks against a broad range of systems. They have exploited vulnerabilities in network equipment, servers, and mobile devices, and will continue to do so.”
While many of the vulnerabilities have been known to cybersecurity professionals, this is the first time that the NSA – the nation’s premier electronic intelligence agency – has specifically described them as prime targets for Chinese state-sponsored attacks.
“State sponsored attackers are nothing new,” Nayya told ClearanceJobs. “Governments have always employed researchers to find vulnerabilities and developed attacks that exploit them to further their own agendas. Given the current geopolitical situation, it is no surprise we are hearing more about attacks originating from China.
However, state and state-sponsored threat actors will remain a serious challenge for civilian targets.
“The attackers are effectively immune from prosecution and, as civilians, the victims can’t ‘return fire’ even when they know who is attacking them,” warned Nayya. “We have to rely on our own defenses to mitigate these attacks, and hope the government agencies responsible for protecting our vital infrastructure will extend that protection to other areas under threat.”
The NSA noted that most of the vulnerabilities that it listed could be exploited to gain initial access to a victim network by utilizing products that provide either remote access or are for external web services, and these products should be patched accordingly. The NSA also offered tips to mitigate from such attacks:
- Keep systems and products updated and patched as soon as possible after patches are released.
- Expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching, making password changes and reviews of accounts a good practice.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in device configurations.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network.
- Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.
Cybersecurity due diligence should remain a priority, and this should include regular backups, watching for social engineering, and keeping devices at all levels patched and up to date.
“Our best defense is to deploy best-in-breed security solutions, including behavioral analytics that can adapt to new threats, and to follow industry best practices across the board,” said Nayya. “Patch management, user education, etc.”
A full list of the threats is available on the NSA Cybersecurity Advisory.