Hackers linked to the Chinese Ministry of State Security are engaged in cyberattacks against U.S. government networks, the Department of Homeland Security said Monday.
The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) warned in a new report to government and private-sector computer administrators that agents working with the Chinese intelligence service, known as the MSS, are using publicly available information to conduct cyberattacks against them.
“CISA has observed these — and other threat actors with varying degrees of skill — routinely using open-source information to plan and execute cyber operations,” the report said.
Working with the FBI, the agency warned that the MSS operations involved well-known hacker tools to penetrate targeted networks that fail to patch security flaws.
“Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks,” the agency stated.
The cyberattacks originated in China using commercially available information sources and open-source hacker tools. The report did not specify which government agencies were affected by the cyberattacks.
One of the most serious Chinese hacks against the U.S. government was disclosed in 2015 after Beijing obtained 22 million records on government employees from the Office of Personnel Management.
The records included sensitive data on government and military employees who hold security clearances — data that U.S. officials have said is being used by China’s intelligence service for espionage.
The latest report is based in part on the federal grand jury indictment in July charging two MSS hackers from the Guangdong State Security Department with attempting to steal business information, including research on the COVID-19 virus. The 11-count indictment said Li Xiaoyu and Dong Jiazhi engaged in a 10-year hacking campaign against high-technology companies in the United States and globally.
The targeted industries included high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense companies.
The July indictment did not indicate that the MSS was hacking into government computer networks, only U.S. and foreign private-sector networks.
“The continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks,” the CISA report said. “In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits.”
In targeting U.S. government networks, the MSS used a search engine called Shodan that is used to identify vulnerable devices connected to the internet, allowing the hackers to “use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets,” the report said.
Other targets were identified from two databases used to identify common vulnerabilities.
According to the report, the MSS would conduct cyberattacks after the public release of alerts that identified operating system vulnerabilities. The alerts are used to tell computer administrators to patch systems, but the Chinese were able to attack systems that were not updated.
“CISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure,” the report said.
“In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors.”
Among the attacks used by the MSS in the past year were cyber strikes against federal government systems through a traffic management user interface, a virtual private network, and Microsoft Exchange Server software. In one case, a compromised government network was detected “beaconing” information to a Chinese intelligence server.
The MSS also purchased domain names and virtual private networks as part of the cyberattacks, targeted a commercial software program to monitor keystrokes, used malware to steal passwords and secure network administrator privileges, and sent “spearphishing” emails linked to MSS-controlled websites.