Chinese hackers are now using this tactic for spying

Named and shamed globally for spying, China has changed its tactics for gathering intelligence without detection. State-sponsored Chinese hackers are now heavily relying on zero-day exploits, as per a Google-owned security firm.

Zero-day attack refers to exploiting vulnerabilities on online networks that are discovered before software packages are released to patch them.

China is seen as a top threat to governments and private networks across the world. The US’ cyber defence agency categorises Chinese state-backed hackers as “the broadest, most active and persistent cyber threat” to US infrastructure.

“People’s Republic of China (PRC) cyber espionage groups were the most prolific attackers to exploit zero-days in 2023, and demonstrated a focus on stealth in their zero-day exploitation campaigns,” reads the M-Trends 2024 Special Report released by Mandiant.

Increased use of zero-day vulnerability exploitation helped threat actors evade attack detection last year, it said.

The report identified 29 espionage groups from China, Russia, Iran, and North Korea. Attacks on edge devices – hardware pieces that act as an entry or exit point for data flow between two networks – like VPN appliances, firewalls, routers and Internet of Things (IoT) was one of the most notable trends in cyber threats in 2023.

Email security gateway appliances and VPNs are high-availability edge devices that run for months or years at a time without being rebooted, according to Mandiant.

Mandiant researchers tracked 97 unique zero-day vulnerabilities exploited in 2023, surpassing the volume tracked in 2022 by nearly
56%. They also acknowledge in-depth knowledge of the China-nexus attackers when targeting edge devices and their future deployment of custom malware tailored for the device.

“I think there is a very deliberate focus by the Chinese government to start to identify zero-day vulnerabilities and develop malware for
edge devices. And something that might surprise people is that we see Chinese espionage operators using less and less malware today on Windows computers than ever before,” Charles Carmakal, chief technology officer at Mandiant, told The Record.

INCREASING CHINESE SPYING

In February, an alleged leak of data belonging to a Chinese Ministry of Public Security vendor named i-Soon gave details of China’s espionage operations with evidence of conducting cyberattacks across the world, including India.

Last October, hackers exploited an unpatched zero-day vulnerability in Cisco’s networking software to compromise tens of thousands of devices, allowing attackers full control of the device.

EVOLVING CYBERATTACKS

In most cases, attackers target the subject using exploits as their primary method, with phishing being the second most common approach.

According to the Mandiant report, 38 per cent of intrusions started with exploits, while 17 per cent used phishing methods, 15 per cent of intrusions involved prior compromise, and 10 per cent relied on stolen credentials.

In 2023, attackers adopted new phishing strategies instead of conventional methods. Mandiant noted their use of code obfuscation, remote payload hosting, embedding dropper scripts in archive files, and bypassing email filtering controls to target users effectively.

The report is based on an analysis of activities of over 4,000 threat groups, including 719 identified in 2023. Financial gain motivated over half of the attackers observed that year (52 per cent), while 10 per cent focused primarily on espionage activities.