Chinese, Russian espionage campaigns increasingly targeting edge devices

Chinese and Russian hackers have turned their focus to edge devices — like VPN appliances, firewalls, routers and Internet of Things (IoT) tools — amid a startling increase in espionage attacks, according to Google security firm Mandiant.

The company published the findings as part of its annual report on cyber investigations Mandiant was involved in last year. 

Charles Carmakal, chief technology officer at Mandiant, told Recorded Future News that there has been a significant shift in the tactics used by espionage hackers based in China and Russia. For years, incident responders saw the same playbook — employees would be targeted with malicious phishing emails containing malware that would give hackers a foothold into the system.

But last year, Carmakal said the most common way into companies was by finding a zero-day vulnerability in frequently deployed devices. 

“I think there is a very deliberate focus by the Chinese government to start to identify zero day vulnerabilities and develop malware for edge devices. And something that might surprise people is that we see Chinese espionage operators using less and less malware today on Windows computers than ever before,” he said. 

“The reason for that is because [Endpoint Detection and Response] solutions are getting really good now. If you deploy malware on a Windows computer, the chances of you getting caught are much higher than if you deployed the same malware on a VPN appliance.”

Mandiant saw a more than 50% growth in zero-day usage compared to 2022, both by espionage groups as well as financially motivated attackers.

In incidents handled by Mandiant, the company saw 38% of intrusions start with an exploit, a 6% increase on the year before, whereas 17% of intrusions started with phishing emails — a drop of 22%. The third most common way hackers got into systems was through previous compromises repurposed for new attacks. 

Both Carmakal and Mandiant Consulting Vice President Jurgen Kutscher noted that part of the shift was due to espionage hackers prioritizing avoiding detection. 

Entry through vulnerabilities allows hackers to stay inside systems for longer without detection while phishing emails are more likely to be flagged by security solutions. Nonetheless, the amount of time hackers spend in breached systems before they are discovered — known as “dwell time” — actually fell to its lowest level ever recorded at 10 days, a six-day decrease compared to 2022. 

“Attackers are taking steps to evade detection and remain on systems for longer, and one of the ways they accomplish this is through the use of zero-day vulnerabilities,” Kutscher added. “This further highlights the importance of an effective threat hunt program, as well as the need for comprehensive investigations and remediation in the event of a breach.”

The researchers noted in the report that zero-day vulnerabilities are no longer simply the domain of state-backed espionage hackers. An increasing number of criminal groups are also exploiting zero-days — the most prominent of which was seen in 2023 through the MOVEit file transfer attacks. 

Mandiant investigators found that a Russia-based ransomware gang — known as Clop — began scanning the internet for vulnerable instances of MOVEit 12 days before they began stealing data from more than 2,500 organizations worldwide. 

After the MOVEit vulnerability, the most popular vulnerabilities exploited by both espionage and criminal groups were in Oracle E-Business Suite and Barracuda Email Security Gateway. Both MOVEit and the Barracuda product are edge devices. 

The report did include some positive news. Companies are getting better about detecting compromises internally, rather than being told of attacks either by hackers themselves or security researchers. Internal detection of compromise in 2023 grew to 46% of incidents Mandiant dealt with, compared to 37% in 2022.