Google’s Threat Analysis Group (TAG) and Mandiant researchers have identified a wave of sophisticated cyberattacks targeting U.S. federal agencies and organizations, including those in the defense and energy sectors. Google and Mandiant researchers identified several distinct groups of hackers, all of which it believes are sponsored by the Chinese government.
The attacks are part of a larger effort by the Chinese government to acquire information and intellectual property from U.S. companies and organizations, according to Google and reported by The Wall Street Journal.
Chinese cyber-espionage: avoiding detection, maintaining persistence
What makes this report concerning is that the alleged Chinese state-sponsored hacker groups have been able to penetrate target networks and maintain persistent access for years. To evade detection, hacker groups target edge devices such as firewalls, VPN technologies, IoT devices, and hypervisors.
Zero-day vulnerabilities were leveraged to deploy backdoors onto equipment such as Fortinet and VMware solutions. Malware was deployed across multiple Fortinet solutions such as FortiGate (firewall), FortiManager (centralized management solution), and FortiAnalyzer (log management, analytics, and reporting platform).
The hackers were able to conceal their tracks by clearing and modifying logs, disabling file system verification on device startup, and avoiding targets that have EDR capabilities.
Defense contractors, government agencies, and tech firms targeted
According to Google, the hackers are primarily targeting companies in the defense and government sectors, but they have also targeted organizations in other industries, including finance and technology. The attacks have been ongoing for several years, and Google expects the hackers to continue their efforts across new targets.
Google said that it has notified the U.S. government and the affected organizations about the attacks, and is working with them to mitigate the risks. The company also recommended that organizations take steps to protect themselves from these types of attacks.
Chinese state-sponsored hacking groups have had success for years in penetrating US defense and government agencies. Most prolific was the breach of Lockheed Martin, who developed the F-35 stealth combat aircraft used by the United States military, among others. In 2007, the Chinese stole proprietary, advanced military technology from Lockheed Martin and released the J-31 combat aircraft, which bares many resemblances and similar capabilities, at the time.
U.S. intelligence officials said China “probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. government and private-sector networks,” according to the Wall Street Journal.
Disclaimer: The author of this article is a current employee of Google. This article does not represent the views or opinions of his employer and is not meant to be an official statement for Google, or Google Cloud.
Discover more from Cybersecurity Careers Blog
Subscribe to get the latest posts sent to your email.