We've just finished reading one of the most detailed research reports on Chinese cyber attacks that we have seen. And it brings forward a lot of new data for fresh conclusions on state-backed Chinese hacks.
The attacks are primarily aimed at tech companies in the U.S. and Japan, and for the first time, the research is linking ongoing Chinese hacking efforts in 2018 to those as far as 10 years back.
And get this: Top targets in an effort to compromise the networks? IT and HR teams at an organization.
Say researchers at ProtectWise 401TRG:
"These operations and the groups that perform them are all linked to the Winnti umbrella and operate under the Chinese state intelligence apparatus. Contained in this report are details about previously unknown attacks against organizations and how these attacks are linked to the evolution of the Chinese intelligence apparatus over the past decade."
Phishing is the attack vector in 2018. Here is one of the examples that end-users are falling for.
And bad actors have also tried to phish their way in through HR teams; here's an example from Japan which is translated below:
Report: What seemed like individual hacks are actually linked
The investigation builds on a large amount of industry research, and for the first time, links a number of bad actors to a common background: China.
"This report details how these groups are linked together and serve a broader attacker mission. The many names associated with actors in the greater intelligence mission are due to the fact that they are built on telemetry of the intelligence provider which is typically unique and dependent on their specific dataset. This report focuses heavily on networking related telemetry."
Chinese hackers using two-stage attacks
Part of the reason some of these hacks went previously unreported is that they targeted smaller companies. But that was just a point of entry:
"Based on our findings, attacks against smaller organizations operate with the objective of finding and exfiltrating code signing certificates to sign malware for use in attacks against higher value targets."
The report on Chinese hacking says the highest short-term motivation seems to be financial gain by going after intellectual property, and the long-term gain seems to be politically motivated.
Researchers shared considerable technical detail, as well, on TTPs and even the favorite ports attackers are using in this campaign.
