FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions

FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions

November 5, 2024 at 12:36PM

The FBI is investigating cyber intrusions involving malware targeting sensitive data from companies and government networks by Chinese state-sponsored groups. Reports by Sophos reveal attacks leveraging multiple vulnerabilities, shifting from widespread to targeted attacks since 2021, compromising critical infrastructure mainly in South and Southeast Asia.

### Meeting Takeaways:

1. **FBI Investigation**: The FBI is seeking public assistance regarding a significant breach involving edge devices and computer networks belonging to various companies and government entities.

2. **Malware Deployment**: An Advanced Persistent Threat (APT) group has utilized malware (CVE-2020-12271) in widespread computer intrusions to steal sensitive data globally from firewalls.

3. **Campaign Overview**: Reports from cybersecurity vendor Sophos detail campaigns from 2018 to 2023 that exploited vulnerabilities in edge infrastructure appliances, with a focus on surveillance, sabotage, and cyber espionage attributed to Chinese state-sponsored groups (APT31, APT41, and Volt Typhoon).

4. **Targeted Entities**: Cyber attacks have targeted critical infrastructure and government facilities, especially in South and Southeast Asia. Notable targets include nuclear energy suppliers and military hospitals.

5. **Vulnerability Exploitation**: Multiple zero-day vulnerabilities in Sophos firewalls have been identified as methods for the attackers to deliver payloads, transitioning from broad attacks to focused efforts against specific organizations.

6. **Deeper Access Tactics**: Since mid-2022, attack methods have evolved to gain deeper access, evade detection, and use sophisticated malware like Asnarök and Gh0st RAT, establishing persistent remote access to Sophos XG Firewalls.

7. **Pygmy Goat Backdoor**: A developed rootkit named Pygmy Goat enables attackers to interact with infected devices via standard network traffic, highlighting the competency of its developers.

8. **Research Ties**: Sophos linked the rootkit to a Chinese threat actor known as Tstark, with possible connections to UESTC in Chengdu, indicating organized vulnerability research associated with state-sponsored operations.

9. **Bug Bounty Reports**: Sophos has noticed suspiciously helpful bug bounty reports likely from individuals associated with Chengdu research institutions, suggesting ongoing exploitation and intelligence sharing between state-sponsored attackers.

10. **Wider Implications**: The increased targeting of edge network devices and compromised Canadian government networks highlights a strategic cyber threat landscape posed by Chinese state-sponsored actors, who are also accused of pursuing economic, diplomatic, and repression-related objectives.

11. **Further Engagement**: For continued updates and analysis of cyber security threats, follow the organization on Twitter and LinkedIn.

Full Article

By proceeding you understand and give your consent that your IP address and browser information might be processed by the security plugins installed on this site.
×