Chinese State-Sponsored Cyber Operations: Observed TTPs
Summary
This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9, and MITRE D3FEND™ framework, version 0.9.2-BETA-3. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques and the D3FEND framework for referenced defensive tactics and techniques.
The National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China’s long-term economic and military development objectives.
This Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.
To increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. Note: NSA, CISA, and FBI encourage organization leaders to review CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders for information on this threat to their organization.
Click here for a PDF version of this report.
Technical Details
Trends in Chinese State-Sponsored Cyber Operations
NSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:
-
Acquisition of Infrastructure and Capabilities. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community’s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.
-
Exploitation of Public Vulnerabilities. Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:
-
CISA-FBI Joint CSA AA20-133A: Top 10 Routinely Exploited Vulnerabilities,
-
CISA Activity Alert: AA20-275A: Potential for China Cyber Response to Heightened U.S.-China Tensions, and
-
NSA CSA U/OO/179811-20: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities.
-
-
Encrypted Multi-Hop Proxies. Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.
Observed Tactics and Techniques
Chinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable JSON file is also available on the NSA Cybersecurity GitHub page.
Refer to Appendix A: Chinese State-Sponsored Cyber Actors’ Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.
Figure 1: Example of tactics and techniques used in various cyber operations.
Mitigations
NSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:
-
Patch systems and equipment promptly and diligently. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.
Note: for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section. - Enhance monitoring of network traffic, email, and endpoint systems. Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.
- Use protection capabilities to stop malicious activity. Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.▪
Resources
Refer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ for previous reporting on Chinese state-sponsored malicious cyber activity.
Disclaimer of Endorsement
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/.
Trademark Recognition
MITRE and ATT&CK are registered trademarks of The MITRE Corporation. • D3FEND is a trademark of The MITRE Corporation. • Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. • Pulse Secure is a registered trademark of Pulse Secure, LLC. • Apache is a registered trademark of Apache Software Foundation. • F5 and BIG-IP are registered trademarks of F5 Networks. • Cobalt Strike is a registered trademark of Strategic Cyber LLC. • GitHub is a registered trademark of GitHub, Inc. • JavaScript is a registered trademark of Oracle Corporation. • Python is a registered trademark of Python Software Foundation. • Unix is a registered trademark of The Open Group. • Linux is a registered trademark of Linus Torvalds. • Dropbox is a registered trademark of Dropbox, Inc.
APPENDIX A: Chinese State-Sponsored Cyber Actors’ Observed Procedures
Note: D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.
Tactics: Reconnaissance [TA0043]
Table 1: Chinese state-sponsored cyber actors’ Reconnaissance TTPs with detection and mitigation recommendations
Threat Actor |
Threat Actor Procedure(s) |
Detection and Mitigation Recommendations |
Defensive Tactics and Techniques |
---|---|---|---|
Active Scanning [T1595] |
Chinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft® 365 (M365), formerly Office® 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python® scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization’s fully qualified domain name, IP address space, and open ports to target or exploit. |
Minimize the amount and sensitivity of data available to external parties, for example:
Active scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence. |
Detect:
Isolate:
|
Gather Victim Network Information [T1590]
|
Tactics: Resource Development [TA0042]
Table II: Chinese state-sponsored cyber actors’ Resource Development TTPs with detection and mitigation recommendations
Threat Actor |
Threat Actor Procedure(s) |
Detection and Mitigation Recommendations |
Defensive Tactics and Techniques |
---|---|---|---|
Acquire Infrastructure [T1583]
|
Chinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.
|
Adversary activities occurring outside the organization’s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.
|
N/A |
Stage Capabilities [T1608] |
|||
Obtain Capabilities [T1588]:
|
Chinese state-sponsored cyber actors have been observed using Cobalt Strike® and tools from GitHub® on victim networks. |
Organizations may be able to identify malicious use of Cobalt Strike by:
|
N/A |
Tactics: Initial Access [TA0001]
Table III: Chinese state-sponsored cyber actors’ Initial Access TTPs with detection and mitigation recommendations
Threat Actor Technique / |
Threat Actor Procedure(s) |
Detection and Mitigation Recommendations |
Detection and Mitigation Recommendations |
---|---|---|---|
Drive By Compromise [T1189] |
Chinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains. |
|
Detect:
Isolate: |
Exploit Public-Facing Application [T1190] |
Chinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[1] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources.
|
Review previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources. Additional mitigations include:
|
Harden: Detect:
Isolate:
|
Phishing [T1566]: |
Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. |
|
Harden: Detect: |
External Remote Services [T1133] |
Chinese state-sponsored cyber actors have been observed:
Note: refer to the references listed above in Exploit Public-Facing Application [T1190] for information on CVEs known to be exploited by malicious Chinese cyber actors.
|
|
Harden:
Detect: |
Valid Accounts [T1078]: |
Chinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks. Note: this technique also applies to Persistence [TA0003], Privilege Escalation [TA0004], and Defense Evasion [TA0005]. |
|
Harden:
Detect: |
Tactics: Execution [TA0002]
Table IV: Chinese state-sponsored cyber actors’ Execution TTPs with detection and mitigation recommendations
Threat Actor Technique / |
Threat Actor Procedure(s) |
Detection and Mitigation Recommendations |
Defensive Tactics and Techniques |
---|---|---|---|
Command and Scripting Interpreter [T1059]: |
Chinese state-sponsored cyber actors have been observed:
|
PowerShell
Windows Command Shell
Unix
Python
JavaScript
Network Device Command Line Interface (CLI)
|
Harden:
Detect:
Isolate:
|
Scheduled Task/Job [T1053] |
Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as
|
• Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity. |
Detect:
Isolate:
|
User Execution [T1204] |
Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim’s device after the user clicks on the malicious link or opens the attachment. |
|
Detect:
Isolate: |
Tactics: Persistence [TA0003]
Table V: Chinese state-sponsored cyber actors’ Persistence TTPs with detection and mitigation recommendations
Threat Actor Technique / Sub-Techniques |
Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques |
---|---|---|---|
Hijack Execution Flow [T1574]:
|
Chinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. Note: this technique also applies to Privilege Escalation [TA0004] and Defense Evasion [TA0005]. |
|
Detect:
Isolate:
|
Modify Authentication Process [T1556]
|
Chinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network. |
|
Detect: |
Server Software Component [T1505]:
|
Chinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. |
|
Detect:
Isolate:
|
Create or Modify System Process [T1543]:
|
Chinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence. Note: this technique also applies to Privilege Escalation [TA0004]. |
|
Detect:
|
Tactics: Privilege Escalation [TA0004]
Table VI: Chinese state-sponsored cyber actors’ Privilege Escalation TTPs with detection and mitigation recommendations
Threat Actor Technique / Sub-Techniques |
Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques |
---|---|---|---|
Domain Policy Modification [T1484]
|
Chinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation. Note: this technique also applies to Defense Evasion [TA0005]. |
|
Detect: |
Process Injection [T1055]: |
Chinese state-sponsored cyber actors have been observed:
Note: this technique also applies to Defense Evasion [TA0005]. |
|
Tactics: Defense Evasion [TA0005]
Table VII: Chinese state-sponsored cyber actors’ Defensive Evasion TTPs with detection and mitigation recommendations
Threat Actor Technique / Sub-Techniques |
Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques |
---|---|---|---|
Deobfuscate/Decode Files or Information [T1140] |
Chinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device. |
|
Detect:
Isolate:
|
Hide Artifacts [T1564] |
Chinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process. |
|
Detect:
Isolate:
|
Indicator Removal from Host [T1070] |
Chinese state-sponsored cyber actors have been observed deleting files using |
|
Detect:
Isolate:
|
Obfuscated Files or Information [T1027] |
Chinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures. |
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted. |
Detect:
|
Signed Binary Proxy Execution [T1218] |
Chinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as |
Monitor processes for the execution of known proxy binaries (e.g., r |
Detect: |
Tactics: Credential Access [TA0006]
Table VIII: Chinese state-sponsored cyber actors’ Credential Access TTPs with detection and mitigation recommendations
Threat Actor Technique / Sub-Techniques |
Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques |
---|---|---|---|
Exploitation for Credential Access [T1212] |
Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers. |
|
Harden: |
OS Credential Dumping [T1003] |
Chinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory ( |
|
Harden:
Detect: Isolate: |
Tactics: Discovery [TA0007]
Table IX: Chinese state-sponsored cyber actors’ Discovery TTPs with detection and mitigation recommendations
Threat Actor Technique / Sub-Techniques |
Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques |
---|---|---|---|
File and Directory Discovery [T1083] |
Chinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities. |
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored. |
Detect: |
Permission Group Discovery [T1069] |
Chinese state-sponsored cyber actors have been observed using commands, including |
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
Detect: |
Process Discovery [T1057] |
Chinese state-sponsored cyber actors have been observed using commands, including |
Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
Detect: |
Network Service Scanning [T1046] |
Chinese state-sponsored cyber actors have been observed using |
• Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation. |
Detect:
Isolate:
|
Remote System Discovery [T1018] |
Chinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including |
Monitor for processes that can be used to discover remote systems, such as |
Detect: |
Tactics: Lateral Movement [TA0008]
Table X: Chinese state-sponsored cyber actors’ Lateral Movement TTPs with detection and mitigation recommendations
Threat Actor Technique / Sub-Techniques |
Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques |
---|---|---|---|
Exploitation of Remote Services [T1210] |
Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user. Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources. |
Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user. Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.
|
Detect:
Isolate:
|
Tactics: Collection [TA0009]
Table XI: Chinese state-sponsored cyber actors’ Collection TTPs with detection and mitigation recommendations
Threat Actor Technique / Sub-Techniques |
Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques |
---|---|---|---|
Archive Collected Data [T1560] |
Chinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage. |
|
Detect: Isolate:
|
Clipboard Data [T1115] |
Chinese state-sponsored cyber actors used RDP and execute |
|
Detect:
Isolate: |
Data Staged [T1074] |
Chinese state-sponsored cyber actors have been observed using the |
Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. |
Detect:
|
Email Collection [T1114] |
Chinese state-sponsored cyber actors have been observed using the |
|
Harden:
Detect:
|
Tactics: Command and Control [TA0011]
Table XII: Chinese state-sponsored cyber actors’ Command and Control TTPs with detection and mitigation recommendations
Threat Actor Technique / Sub-Techniques |
Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques |
---|---|---|---|
Application Layer Protocol [T1071] |
Chinese state-sponsored cyber actors have been observed:
|
Use network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware. |
Detect: Isolate:
|
Ingress Tool Transfer [T1105] |
Chinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks. |
|
Isolate:
|
Non-Standard Port [T1571] |
Chinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure. |
|
Detect:
Isolate: |
Protocol Tunneling [T1572] |
Chinese state-sponsored cyber actors have been observed using tools like dog-tunnel and |
|
Detect:
|
Proxy [T1090]:
|
Chinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs. |
Monitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.
|
Detect:
Isolate:
|
Appendix B: MITRE ATT&CK Framework
Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors (Click here for the downloadable JSON file.)
Contact Information
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.
For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov.
Media Inquiries / Press Desk:
• NSA Media Relations, 443-634-0721, MediaRelations@nsa.gov
• CISA Media Relations, 703-235-2010, CISAMedia@cisa.dhs.gov
• FBI National Press Office, 202-324-3691, npo@fbi.gov
References
Revisions
July 19, 2021: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.