China’s Calculated Cyber Offensive: Unmasking the Urgent Threat 

by Griffin Windheuser

The People's Republic of China (PRC) has unleashed a relentless barrage of cyber-attacks, targeting both public and private sector organizations and critical infrastructure. The gravity of this threat was made official on May 24th of this year, when a joint cybersecurity advisory was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners. Concurrently, Microsoft made a significant announcement regarding disruptive attacks orchestrated by Volt Typhoon, a Chinese state-sponsored actor, targeting vital communication infrastructure. The ramifications are clear: not only does this jeopardize national security for the United States, but it also exposes the vulnerability of our information systems. It is imperative that proactive measures are taken to bolster network security within organizations providing critical services.

The cyber-attacks are employing a strategy known as "living off the land." This ingenious approach allows attackers, such as Volt Typhoon, to exploit legitimate tools in order to carry out their malicious activities while flying under the radar of detection. It's a shrewd maneuver that magnifies the challenges faced by defenders in identifying and mitigating these threats.

Living off the land uses alternating Virtual Private Servers (VPSs) as encrypted proxies to connect with network devices such as small office/home office (SOHO) routers or network attached storage (NAS) devices. Once infiltrated, these devices serve to route/host command and control (C2) traffic, act as a midpoint for network intrusion, and register puppet emails. These devices operate on compromised networks that are known as “hop points” and lead back to numerous China-based IP addresses connected to Chinese internet service providers (ISPs). 

Unfortunately, these hop points often go unnoticed by cybersecurity professionals that struggle to routinely provide effective software patching for many internet-facing services and endpoint devices. This strategy allows the attackers to operate with anonymity. When the attacker executes foreign commands within the network, they camouflage their activity amidst a barrage of frequent commands that are native to the network.  

Telecommunications and network providers have been increasingly targeted, infiltrating secure networks and stealing their data traffic. Of particular concern is the uptick in attacks since 2020. The attacks typically start with the actors using hop points and open-source tools that scan networks for vulnerabilities. Examples of such open source tools include RouterSploit and RouterScan, which specifically target the software framework of routers and allow for the exploitation of SOHO and other routers made by industry providers such as Cisco, Fortinet and Mikrotik, according to reports by the Cyber and Infrastructure Security Agency.

Once a vulnerability grants the actor access within a target network, a Remote Authentication Dial-in User Service (RADIUS) server is identified. The RADIUS server provides credentials that allow access to the Structured Query Language (SQL) database. This relational database, named after the SQL coding language, stores data with pre-defined relations between each other, such as accounts and their passwords.

With access accomplished, the actor now can use this database to gain the account and login information of an administrative account, which in turn grants their own hop point router administrative capabilities through a Secure Schell (SSH), creating a secure connection between the attacker and the target network. Equipped with administrative or command and control (C2) capabilities, the actor can execute commands that covertly redirect and steal the information/traffic traveling over the network. 

The National Security Agency’s Cybersecurity Advisory on the matter outlines details on vulnerabilities and mitigations. It also includes recommendations such as keeping system current and apply patches immediately. If a breach does occur, it is important to change passwords and review accounts. Disabling external management capabilities and establishing an alternative access method to the network are also among the suggestions.

Knowledge is a powerful tool. It is of the utmost importance for organizations and governments to stay informed and arm themselves against these threats. Through knowledge sharing and collaboration among the various stakeholders, we can shield our critical infrastructure and sensitive data.