China cyber threats: What businesses can do to protect themselves
China-based threat groups are a constant concern for cybersecurity teams. As Western governments ramp up warnings of China cyber threats, business leaders must consider their defense posture and exposure as viable targets.
While China ranked third for cybercriminal activity in a 2024 study by the University of Oxford and UNSW Canberra Cyber, behind only Russia and Ukraine, recent attacks have put it more firmly on the radar of public and private cyber defense teams. In early December, a senior national security adviser in the Biden Administration warned that a Chinese state-sponsored hacking group had breached telecommunications firms in “dozens of countries”.
The Chinese state-sponsored hacking campaign against US telecoms firms is a “very, very serious matter” that is “still going on,” Homeland Security Secretary Alejandro Mayorkas said in a recent interview on MSNBC.
Also in December, the new chief of the UK National Cyber Security Center (NCSC) issued a warning that China is targeting businesses, saying the threat is not being taken seriously enough. Since then, Chinese threat actors have been accused of carrying a major cyber attack on the US Treasury.
So, as government alerts increase, what do businesses need to be aware of and what should they be doing to shore up security?
China’s evolving aims
China has one main aim driving its cyberespionage efforts: Economics, says Philip Ingram, MBE, a former colonel in British military intelligence. “They will do anything and use the full range of their state apparatus to try and give Chinese companies and the Chinese Communist Party (CCP) an economic advantage across the globe.”
To achieve this, China-backed threat actors target businesses and “all data”, Ingram says. He compares such groups to “a super vacuum cleaner for data”, which is why telecoms firms have been targeted.
“Not only is there a business interest in knowing how their domestic and international networks are being marketed and what contracts are pending, but they are the conduits for much of that data China wants to suck up.”
Since the 2010s techniques and tactics grew “noticeably more overt and aggressive in pursuit of these goals”, says Casey Ellis, founder of Bugcrowd.
In the cybersecurity sphere, Ellis explains how this shift is exemplified by “moving from covert, espionage-focused cyber operations to a more openly aggressive ‘spray and pray’ approach, around the end of 2019”.
The “character and tone” of Chinese cyber operations have “certainly shifted to a far more aggressive posture”, says Ian Thornton-Trump, CISO at Inversion6. This is not surprising, he says. “What is rather surprising is how successful the Chinese have been in bypassing US cyber defenses.”
China’s strategic goals remain unwavering. However, the country’s ability to “go undetected, find unique access points and smartly gather and exfiltrate data and intelligence” is evolving, says Crystal Morin, cybersecurity strategist at Sysdig.
“We are at the point now where security professionals have grown up with access to technology. China, which has maintained decades of intelligence on its adversaries, is now able to provide incredibly intelligent and technologically-savvy working professionals with this access and information. This makes Chinese adversaries incredibly successful and just plain good.”
In tandem, the techniques China-backed hackers are using have become more sophisticated, involving ever-more realistic-looking AI-generated content and deepfakes that are harder to detect, says Megha Kumar, chief product officer and head of geopolitical risk at cybersecurity consultancy CyXcel.
Notable China-based hacking groups
There are many China-backed threat groups, but in recent months three have particularly stood out. The first is Flax Typhoon – which is “definitely the noisiest group”, given its opportunistic targeting of Internet of Things (IoT) devices, says Ellis. The US State Department has imposed sanctions on Integrity Technology Group, a company it has accused of close ties with Flax Typhoon and the operation of a major international botnet.
Salt Typhoon – the Chinese adversary targeting telecoms and recording phone conversations – should be a key consideration for ISPs, IT infrastructure providers, and organizations “downstream or adjacent to these types of companies”, Ellis adds.
Meanwhile, Volt Typhoon focuses on targeting critical and defense infrastructure, combined with a preference for stealthier ‘living off the land’ techniques, says Ellis. “There are a variety of other groups, but these three have been the most frequently discussed and are currently regarded as the most significant from a national security standpoint.”
State-sponsored attackers such as Salt Typhoon and Volt Typhoon have targeted US communications infrastructure over the past couple of years, says Simon Heath, managing partner at Heligan Group.
Others, such as APT 31 and APT 41 target a wide range of Western sectors, “conducting surveillance activities as well as financially motivated operations”, Health says.
Tackling the China cyber threat
The new China threat is prevalent, but the risk can be reduced if businesses take time to assess their individual vulnerabilities and put basics measures in place.
As part of this, companies need to take a proactive approach to cybersecurity so defenses are as robust as possible, says Kumar. This means defense-in-depth, covering access controls, vulnerability management, and patching. In addition, focus on awareness training, continuous monitoring, detailed visibility into IT supply chains, and appropriate risk transfer mechanisms, Kumar says.
Threat intelligence is key, especially relating to your specific sector. At the same time, pay attention to announcements from the Cybersecurity and Infrastructure Security Agency (CISA) and the NCSC, and “deploy multiple advanced security technologies from the edge of your network to the device level”, Thornton-Trump advises.
The US National Security Agency (NSA), Federal Bureau of Investigation (FBI), and CISA published guidance for hardening communications infrastructure following the recent news, says Morin. “The NSA and CISA’s websites both offer guidance for various business sectors, including SMBs, to proactively enhance their security posture.”
It’s a good idea to take steps to understand your external attack surface, monitor feeds such as CISA’s Known Exploited Vulnerabilities database, and ensure you’re prioritizing patches based on reachability and the likelihood of exploitation, Ellis adds.
It’s also important to consider your line of business and whether it falls under one of the most-targeted industries for cyber attacks. “Critical infrastructure verticals, and any organization where a significant amount of data transits or is stored, are clearly in the crosshairs,” says Ellis. However, it isn’t limited to just these types of companies, he adds.
The need for defenses is twofold if your threat model suggests you have technology China may benefit from, says Thornton-Trump. “The first is to be actively threat hunting for indications of compromise in your own infrastructure and next, apply rigorous attention to supply chain cyber hygiene.”
When tackling the China threat, it’s important to be realistic. Businesses need to be aware that their data and individuals are vulnerable, says Ingram. “Chinese technology is prolific and businesses need to examine what is being used against a risk matrix. This is why we are seeing Western governments banning telecoms technologies from national networks and removing some CCTV manufacturers from government sites.”
Source link
/cdn.vox-cdn.com/uploads/chorus_asset/file/23952202/HT009_facebook_0008.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25824271/257500_Acer_Nitro_Blaze_11_ADiBenedetto_0012.jpg)
