US agencies detail the digital ‘plumbing’ used by Chinese state-sponsored hackers

SAN FRANCISCO — U.S. agencies on Tuesday offered new details about how Chinese state-sponsored hackers have used publicly known vulnerabilities to target internet service providers and major telecommunications firms around the globe over the last two years.

Taking advantage of common vulnerabilities and exposures (CVEs) allows malicious actors backed by Beijing to break into victim accounts and network infrastructure — via a virtual private network or another public-facing application — “without using their own distinctive or identifying malware,” the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency said in an advisory.

The joint document is the latest effort by the federal government to inform the private sector about the scope of the digital threat posed by China and urge entities to take action to defend themselves.

Last week, FBI director Christopher Wray said China boasts “​​a bigger hacking program than all other nations combined,” warning that Chinese Communist Party leaders are studying the war in Ukraine for lessons about Taiwan. And last year, the U.S. and Western allies attributed a massive assault targeting Microsoft Exchange servers to Chinese state actors.

“Businesses may understand that they've had intrusion, or they've stopped an attempted intrusion, but they often can't weave together the pieces. This advisory is intended to bring together the pieces,” NSA Director of Cybersecurity Rob Joyce told The Record during a sit-down interview on the sidelines of the RSA conference.

The latest advisory details how hackers rely on compromised servers, or “hop points,” from China-based IP addresses in order to register and eventually gain access to email accounts, host command and control domains and otherwise interface with victimized networks.

After they have distanced themselves, state-linked actors go on to exploit infrastructure in internet providers and telecoms, as well as small home office and business routers manufactured by key industry providers, giving them the ability to target and attack at scale.

The perpetrators employ a variety of methods to hide their presence, bypass security features and configure victim networks to suit their needs, including pilfering data, enabling web shells for persistent access or routing data to infrastructure they themselves control.

“This work is building the foundation that they can do all of their objectives,” according to Joyce. 

“This is their plumbing.”

Not ‘holding back’

The technical advisory provides a list of the top 16 network devices most commonly used to propagate breaches, including three from telecom giant Cisco and four from data-storage hardware vendor QNAP.

However, it doesn’t name any threat actors or groups who have carried out intrusions or cite instances where the weaknesses were used to wreak havoc on a system or network.

Joyce said the agencies didn't name specific offenders because it “doesn't help you stop the tradecraft.”

“The intent here is to make sure that people understand how to recognize, and stop, that tradecraft,” he said. “We've got tradecraft that's been going since at least 2020. We're looking to break that cycle and we need the providers to understand that threat to break it. Knowing which APT number did it doesn't help you break the cycle.”

Joyce also defended excluding past breaches, arguing that “some of the providers will recognize themselves inside” the laundry list of known vulnerabilities.

The advisory makes a number of suggestions to cauterize the weaknesses, including many of which have become staples of the government’s digital warnings — like keeping systems patched and updated, enabling multi-factor authentication and performing regular data backups.

Joyce insisted that the exposures cataloged in the document, all of which have been mitigated, represent a comprehensive accounting of known CVEs and that the government is not “holding back” about ongoing exploits or other potential security gaps.

The longtime NSA official also predicted how Beijing would react to the latest advisory.

“I am highly confident that they will yet again deny that they do this type of activity,” Joyce told The Record, noting Beijing has a “long track record” of conducting intrusions and massive digital espionage campaigns.

“We will continue to bring this pressure forward because it needs to stop,” he said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Martin Matishak

Martin Matishak

is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.