Neue Eskalationsstufe zwischen den USA und China - Chinesische Hackerangriffe gegen US-Regierungsbehörden und Militär werden publik

Two IT security incidents have been communicated by the US government in recent weeks. Both incidents involved targeted cyberattacks by suspected Chinese malicious actors. Targets of the attacks included critical infrastructure of the U.S. Armed Forces as well as senior staff of the U.S. Department of Commerce. We provide a brief analysis of the attacks here in this blog post.

At least since the Russian invasion of Ukraine, the diametrically opposed positions of the U.S. and China have been visible on the world stage. For a long time, China has claimed the role of a superpower and is preparing to displace the U.S. from its place as the dominant power in the international system. Ongoing threats to invade Taiwan, timid participation in sanctions against Russian aggression, and the construction of islands in international waters are just a few of the Chinese government's actions on the international stage. The PRC is not idle in the domain of "cyber" either. In the last few weeks alone, several incidents of significant scale have become public. These were presumably aimed at exfiltrating information from the U.S. government's leadership and cutting off power and water supplies to U.S. forces in the event of war.

Microsoft communicated on 11/07/2023 that the Chinese APT group Storm-0558 was able to compromise the Microsoft Outlook accounts of high-ranking US officials for several weeks. Among those affected was Gina Raimondo, the country's Secretary of Commerce. The attack was discovered on June 16, 2023, by an as-yet unnamed U.S. federal agency that detected suspicious activity in some mailboxes (so-called "MailItemsAccessed Events"). As a result, Microsoft and CISA were able to launch investigations and force the intruders out of the systems. The acts could be attributed to the Chinese hacker group with a high degree of probability.

After the initial communication of the incident, Microsoft was exposed to some criticism from users and the press. This was based on several missteps by the software giant:

1. From Redmond, information about the attacks came only bit by bit and without naming concretely affected products. For example, the cause of the incident, i.e. the initial attack vector for the malicious actor, was not communicated at first. Microsoft was also silent on the mitigation of the gap - the vulnerability was closed in the vendor’s system, and there was no further cause for concern for customers. The FBI and CISA had to supplement Redmond's initially rather sparse information in a joint advisory in order to provide admins with tools.

2. The attack vector would indicate negligence on Microsoft's part. The perpetrators were able to compromise the target systems with a stolen "OpenID Signing Key" for Azure AD. This key, actually only for private users, granted the malicious actors access to the enterprise accounts of Outlook, Office, SharePoint and Teams. Microsoft must therefore explain why a key for private users also opens the doors to business applications and how the Chinese hackers were able to obtain the key in the first place.

3. It was only possible for the discoverers of the compromise to become aware of it because they had access to the relevant logs with Purview Audit Premium. Customers of the Standard edition of Purview Audit would have stayed in the dark. Microsoft will expand the logging capabilities of the Standard edition starting in September.

In parallel to Storm-0558's activities, Chinese hackers worked their way deep into U.S. military systems using malware called Volt Typhoon. The attackers first gained access by exploiting zero-day vulnerabilities in Fortinet FortiGuard devices connected to the Internet. Active Directory credentials were also read from these, which would allow the hackers to gain access again later. In the systems, the hackers worked their way further using living-off-the-land binaries (so-called LOLBins). To disguise their own position, the attackers used routers previously taken over by small companies or private users around the world (including ASUS, Cisco, D-Link, Netgear, Zyxel).

While the hackers' targets were also in the civilian sector (communications providers, transportation and manufacturing), the attackers particularly targeted government agencies and the military. As of publication time, U.S. authorities continue to investigate where the hacker group has infiltrated military systems everywhere with the Volt Typhoon malware. In particular, it is believed that power and water supplies to military bases, as well as global communications of the armed forces, were to be disrupted.

The campaign was discovered after initial findings in the systems of a US base on Guam. Initial forensic findings suggest that Chinese hackers have been wreaking havoc on U.S. forces' systems since at least mid-2021.

Security experts have been warning for years of a coming conflict between the great powers in the Pacific region. Whether the predictions become reality or not, one thing is already certain: cyberattacks and reconnaissance via the cyber domain will most likely play a major role in this conflict. Already in the Russia-Ukraine conflict it became clear what hacker attacks can be used for - on the Ukrainian side it was mostly reconnaissance, Russia relied on wiper malware to disrupt communications and infrastructure. The much higher penetration of the USA and China with IT systems, the stronger networking of countries on their own territory and worldwide suggest that hackers would play an even greater role in a potential conflict.

To avoid getting caught in the virtual line of fire, it is advisable to pay the utmost attention to securing systems, but also to business continuity management and disaster recovery. Here the experts of Complion can support you in projects. For an overview of our services, follow this link.

Author: Tobias Philipsen