China State-Sponsored Cyber Threat: Advisories
As the nation's cyber defense agency and national coordinator for critical infrastructure, CISA provides resources—including cybersecurity advisories written in coordination with partners—to help stakeholders build resilience against nation-state actors and other cyber threats.
Table 1: CISA and Joint CISA Advisories
Publication Date | Title | Description |
---|---|---|
March 19, 2024 | PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders | The fact sheet, PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders, warns critical infrastructure leaders of the urgent risk posed by Volt Typhoon and provides guidance on specific actions to prioritize the protection of their organization from this threat activity. CISA and its partners strongly urge critical infrastructure organizations leaders to read the guidance provided in the joint fact sheet to defend against this threat. |
February 7, 2024 | Joint Cybersecurity Advisory: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. The advisory provides actionable information from U.S. incident response activity that can help all organizations:
|
February 7, 2024 | Joint Guide: Identifying and Mitigating Living Off the Land Techniques | Identifying and Mitigating Living Off the Land Techniques provides threat detection information and mitigations applicable to LOTL activity, regardless of threat actor. Many organizations do not implement security best practice capabilities that support detection of living off the land (LOTL), so this technique continues to be effective with little to no investment in tooling by malicious cyber actors. This guidance provides several observed network defense weaknesses that make it difficult for IT administrators to distinguish malicious activity from legitimate behavior, even for those organizations with more mature cyber postures. |
January 31, 2024 | Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers | CISA and the FBI created this guidance based upon recent and ongoing activity targeting small office/home office (SOHO) routers by malicious cyber actors—particularly the People’s Republic of China (PRC)-sponsored Volt Typhoon group. CISA and FBI are urging SOHO router manufacturers to build security into the design, development, and maintenance of SOHO routers to eliminate the path these threat actors are taking to (1) compromise these devices and (2) use these devices as launching pads to further compromise U.S. critical infrastructure entities. |
September 27, 2023 | Joint Cybersecurity Advisory: People's Republic of China-Linked Cyber Actors Hide in Router Firmware | U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA), along with the Japan National Police Agency (NPA) and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released joint Cybersecurity Advisory (CSA). The CSA details activity by cyber actors, known as BlackTech, linked to the People’s Republic of China (PRC). The advisory provides BlackTech tactics, techniques, and procedures (TTPs) and urges multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential BlackTech compromise. |
May 24, 2023 | Joint Cybersecurity Advisory: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection | This Advisory focuses on a tactic called Living off the land, or LOTL, a set of techniques used by cyber actors to maintain anonymity within IT infrastructures by abusing tools already present in the environment. For more information, see:
|
October 6, 2022 | Joint Cybersecurity Advisory: Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors | CISA, NSA, and FBI released an advisory to provide the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC). |
June 7, 2022 | Joint Cybersecurity Advisory: People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA, NSA, and FBI released an advisory describing the ways in which PRC state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. |
August 20, 2021 | Joint Cybersecurity Advisory: Chinese Observed TTPs | CISA, NSA, and FBI released an advisory describing Chinese cyber threat behavior and trends and provides mitigations to help protect the Federal Government; state, local, tribal, and territorial governments; critical infrastructure, defense industrial base, and private industry organizations. |
July 21, 2021 | Joint Cybersecurity Advisory: Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 | CISA and FBI released an advisory providing information on a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas (ONG) pipeline companies. |
July 20, 2021 | Joint Cybersecurity Advisory: TTPs of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department | CISA and FBI released an advisory to help network defenders identify and remediate APT40 intrusions and established footholds. See the July 19, 2021, Department of Justice press release. |
July 19, 2021 | Joint CISA Insights: Chinese Cyber Threat Overview for Leaders | CISA, NSA, and FBI released a joint CISA Insights to help leaders understand this threat and how to reduce their organization's risk of falling victim to cyber espionage and data theft. |
March 03, 2021 | CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities | CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange Server products. This Alert includes tactics, techniques, and procedures and indicators of compromise associated with this activity. See the July 19, 2021 White House Statement. |
October 1, 2020 | CISA Alert: Potential for China Cyber Response to Heightened U.S.-China Tensions | In light of heightened tensions between the United States and China, CISA released an Alert providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs). The Alert also includes recommended mitigations to the cybersecurity community to assist in the protection of our Nation’s critical infrastructure. |
September 14, 2020 | Joint Cybersecurity Advisory: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity | CISA has consistently observed Chinese Ministry of State (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known TTPs to target U.S. government agencies. This advisory identifies some of the more common TTPs employed by cyber threat actors, including those affiliated with the Chinese MSS. |
August 3, 2020 | MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR | CISA, FBI, and DoD released a MAR describing Chinese government actors using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. |
May 13, 2020 | CISA and FBI Joint Public Service Announcement: People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations | CISA and FBI issued a Public Service Announcement warning healthcare, pharmaceutical, and research sectors working on the COVID-19 response of likely targeting and attempted network compromise by the PRC. |
February 2019 | CISA Webinar: Chinese Cyber Activity Targeting Managed Service Providers CISA Webinar Slide Deck: Chinese Cyber Activity Targeting Managed Service Providers | CISA provided a Webinar on Chinese state-sponsored cyber actors targeting managed service providers (MSPs) and their customers. This campaign is referred to as CLOUD HOPPER. |
October 3, 2018 | CISA Alert: Advanced Persistent Threat Activity Exploiting Managed Service Providers CISA Alert: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation | These Alerts address the CLOUD HOPPER Campaign. Since May 2016, APT actors have used various TTPs to attempt to infiltrate the networks of global MSPs for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. |
April 27, 2017 | CISA Alert: Intrusions Affecting Multiple Victims Across Multiple Sectors | This Alert provides information on a campaign in which Chinese government cyber threat actors exploited trust relationships between IT service providers—such as MSPs and cloud service providers—and their customers. Chinese cyber actors associated with the Chinese MSS carried out a campaign of cyber-enabled theft targeting global technology service providers and their customers. The actors gained access to multiple U.S. and global IT service providers and their customers in an effort to steal the intellectual property and sensitive data of companies located in at least 12 countries. |