Chinese State Hackers Level Up Their Abilities: CrowdStrikeBeijing Looks for Enterprise Software Zero-Days
A Chinese law requiring mandatory disclosure to the government of vulnerability reports appears to be paying dividends for state-connected hacking.
Chinese hackers with a connection to Beijing ramped up their use of zero-day vulnerabilities when attacking North American targets during 2022, says threat intelligence firm CrowdStrike.
The disclosure requirement, which took effect in September 2021, "is effectively crowdsourcing vulnerability research in China," said Adam Meyers, senior vice president of intelligence at CrowdStrike.
"With this program, the Chinese government is up-leveling their capabilities," Meyers tells Information Security Media Group ahead of the company's release of an annual assessment of the global threat landscape.
CrowdStrike's assessment matches the conclusions of other companies, including Microsoft, which in November also found an increased use of zero-day exploitation by state hackers (see: China Likely Amasses 0-Days Via Vulnerability Disclosure Law).
Among the most commonly exploited vulnerabilities by Chinese hackers were flaws affecting Citrix Gateway, tracked as CVE-2022-27518; Microsoft Exchange Server, tracked CVE-2022-41040; and Log4Shell. The main targets were the American defense and telecommunications sectors, civil society and pharmaceutical industries.
The company also highlights exploitation "consistent with China-nexus activity," of CVE-2022-29464, a flaw in WSO2 products that allows hackers to reach into cloud computing infrastructure.
"There is increasing evidence that adversaries are growing more confident leveraging traditional endpoints to pivot to cloud infrastructure. The reverse is also true: Cloud infrastructure is being used as a gateway to traditional endpoints," the report says.
The shift to exploits against flaws for which software companies had yet to develop a patch or had only recently made a patch available differs from the techniques previously associated with these groups, such as spear-phishing or credential theft to gain initial access.
If there's any consolation for North American cyber defenders contained in the CrowdStrike report, it's that Chinese-state connected hackers' primary targets were organizations in Asia, including the government, technology and telecommunications sectors.
"Intrusions in these regions accounted for roughly two-thirds of the China-nexus targeted intrusion activity CrowdStrike Intelligence confirmed in 2022," the report says. That finding also tracks with other threat intelligence, including IBM, which found that the Asia-Pacific region accounted for nearly one-third of all incidents it monitored in 2022 (see: Asia-Pacific Faced the Highest Share of Cyberattacks in 2022).
Taiwan absorbed a hefty amount of Chinese state-directed hacking, a development CrowdStrike says is likely fueled by economic espionage. The operations may nonetheless support Beijing's desire for "unification" with Taiwan, given the People's Republic of China's aggressive assertions of sovereignty over the island nation.
The pace of Chinese state hacking did not increase before or after then-U.S. Speaker of the House Nancy Pelosi's visit to Taiwan, during which she declared solidarity with Taipei.
Taiwanese government sites did experience distributed denial-of-service attacks in the lead up to Pelosi's visit, but that was "Chinese-affiliated nationalist hacktivist activity" rather than state-directed activity, CrowdStrike says.