On Wednesday May 24, Microsoft issued a warning saying that Chinese state-sponsored hackers have compromised critical infrastructure across a variety of industries, including government and communications organizations.
An attack that followed a recent incident discovered and reported by Check Point Research, the Check Point Threat Intelligence Division, in which the Chinese state-sponsored APT group Camaro Dragon carried out separate attacks on European foreign affairs entities.
According to a comprehensive analysis conducted by its researchers, these attacks implanted malicious firmware created for TP-Link routers, including a custom backdoor called Horse Shell, which allowed attackers to maintain persistent access to the anonymous infrastructure. to build and
Enable lateral movement between compromised networks.
Now, the United States, Australia, Canada, New Zealand and the United Kingdom, member countries of the Five Eyes intelligence network, have issued a joint statement highlighting a recently discovered set of activities of interest linked to state-sponsored cyber agents. Have done People’s Republic of China (PRC), also known as Volt Typhoon.”
As Microsoft detailed on its official blog, Volt Typhoon is directing all of its network traffic to its target through compromised SOHO network equipment, routers and routers such as ASUS, Cisco, D-Link, NETGEAR and Zyxel. Extending effectiveness to other products from global manufacturers. , Through this vulnerability, cyber criminals could expose HTTP or SSH management interfaces.
Attacks from China-based cyber espionage groups are nothing new to Check Point Research or the cyber security community. Chinese APT groups like Volt Typhoon already have their own campaign history. Their primary motivation is often strategic intelligence gathering, targeted disruption, or gaining a foothold in future networks.
Recent advice points to a variety of techniques employed by these threat actors, but of particular interest is their focus on ‘staying off land’; and exploiting network equipment such as routers.
However, the United States is not the only target of espionage. An earlier CISA notice in 2021 listed common techniques used by Chinese-sponsored APTs. Among them, they mention that attackers use vulnerable routers as part of their operational infrastructure to avoid detection.
and host command and control activities.
Also in 2021, CERT-FR reported a large campaign by APT31, a threat actor affiliated with China. They discovered that the actor was using a mesh network of routers orchestrated by malware which they dubbed Pakdoor.
In March 2023, Check Point Research revealed China’s espionage attacks against government entities in Southeast Asia, particularly countries with similar land claims or strategic infrastructure projects such as Vietnam, Thailand and Indonesia.
In recent years, Chinese cyberattacker groups have been increasingly interested in compromising edge devices, with the aim of building a resilient and more anonymous C&C infrastructure to gain a foothold within their targets’ networks.
Network devices such as routers, typically considered the perimeter of a company’s digital environment, serve as the first point of contact for Internet-based communications. They are responsible for routing and managing network traffic, both legitimate and potentially malicious. By compromising these devices, attackers can mix their traffic with legitimate communications,
Due to which it becomes very difficult to detect it. These tools, when reconfigured or compromised, allow attackers to tunnel communications across networks, effectively anonymizing your traffic and evading traditional detection methods.
This strategy also complements the Volt Typhoon’s ‘stay off the ground’ approach. Instead of using malware, which can be detected by many modern security systems, this group leverages built-in network management tools such as wmic, ntdsutil, netsh, and PowerShell, thereby reducing their environmental footprint. Furthermore, this method allows their malicious activities to slip through otherwise benign administrative actions, making it difficult for cyber security officers to identify attackers among legitimate users.
These techniques also allow the APT group to maintain persistence within the infected network. Compromised Small Office/Home Office (SOHO) network devices can be used as intermediary infrastructure to hide their true origins and maintain control over the network, even if other elements of its operation are discovered and is removed, leading victims to believe that the threat is over. Removed
“The discovery of the agnostic nature of this malicious firmware indicates that a wide range of devices and vendors may be at risk,” explains Eusebio Nieva, Check Point Software’s technical director for Spain and Portugal. “The ultimate goal of our research is to help businesses and individuals alike improve their security posture. In the meantime, we’re committed to keeping any network device up to date and secure, and to being alert to any suspicious activity within our networks.” Continue to give advice.