When nearly two dozen of the world’s leading cybersecurity agencies issue a joint warning, it underscores the severity and the global reach of the threat at hand.
The US National Security Agency and its international partners have issued a new joint cybersecurity advisory on Chinese government-sponsored advanced persistent threat (APT) actors who are targeting telecommunications, government, transportation, lodging, and military infrastructure networks globally.
The advisory, Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System, was put together by US and international cybersecurity agencies, focusing on Chinese state-sponsored groups OPERATOR PANDA, RedMike, UNC5807, GhostEmperor, and Salt Typhoon.
Earlier this year, Trustwave, a LevelBlue Company, issued an in-depth report on Salt Typhoon, conducted by its SpiderLabs threat research team. For organizations defending high-value networks, the takeaways are clear: the threat is relentless, but proactive, intelligence-driven defense strategies can dramatically reduce risk.
The advisory noted these state-sponsored cyber threat actors are attacking targets globally. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks
Recommended Mitigations
The advisory provided a list of steps organizations can take to bolster their defenses, specifically against the groups mentioned, although they will also be effective against most adversaries.
The first step is threat hunting.
The authoring agencies encourage network defenders of critical infrastructure organizations, particularly telecommunications organizations, to conduct threat hunting and, when appropriate, incident response activities.
If malicious activity is suspected or confirmed, organizations should consider all mandatory reporting requirements to relevant agencies and regulators under applicable laws and regulations, as well as any additional voluntary reporting to appropriate agencies, such as cybersecurity or law enforcement agencies, which can provide incident response guidance and assistance with mitigation.
Trustwave offers two threat hunting services:
Trustwave Proactive Threat Hunting is human-led, combining human experts and automated processes with supported technologies that operate in your existing environment to bring you purpose-built threat hunting capabilities that help you get ahead of the adversaries.
A proactive hunt will reduce attacker dwell time, identify and eradicate threats in your environment, maximize visibility into open threat vectors across your environment, and help an organization’s security leaders gain peace of mind and a partner that is on hand to help.
ACTH is a behavioral and Tactics, Techniques, and Procedures (TTPs) focused threat-hunting platform and methodology based on the NIST MITRE ATT&CK framework.
ACTH enables the elite Trustwave SpiderLabs Threat Hunting team to conduct more and higher-quality, human-led threat hunts annually, identifying indicators of behavior across Trustwave’s global client base and multiple Endpoint Detection and Response (EDR) tools.
In addition, ACTH supports multiple EDR tools, which give Trustwave access to more queries that can be used to identify threats.
Additional Protective Measures
The advisory also suggested organizations should start with:
- Monitoring configuration changes - Including pulling all configurations for running networking equipment and checking for differences with the latest authorized versions.
- Monitor virtualized containers - If networking equipment has the capability to run virtualized containers, ensure that all running virtualized containers are expected and authorized.
- Monitor network services and tunnels - Monitor for management services running on non-standard ports (SSH, FTP, etc.)
- Monitor firmware and software integrity
- Perform hash verification on firmware and compare values against the vendor's database to detect unauthorized modification to the firmware. Ensure that the firmware version is as expected.
- Monitor logs - Review logs forwarded from network devices for indications of potential malicious behavior, such as evidence of clearing locally stored logs, disabling log creation or log forwarding, starting a PCAP recording process using available functions, allowing remote access via non-standard methods or to new locations, and changes to the configuration of devices via non-standard methods or from unexpected locations.
Please refer to the advisory for a full list of recommended actions and the Indicators of Compromise associated with these threat actors.
Trustwave’s MDR Solution as a Protective Layer
Solutions like Trustwave’s Managed Detection and Response (MDR) are very well suited to addressing all of these recommendations. Specifically, Trustwave’s MDR can:
- Improve your threat visibility across your environment, including hybrid cloud infrastructure.
- Eliminate active threats on a 24x7 basis.
- Extract more value from your existing security solutions by making them more effective.
- Detect and respond to threats more quickly and with more precision.
- Improve your security posture by finding sophisticated threats, including persistent threats and intruders who are embedded in your environment.
- Augment your internal security team with additional security professionals.
The benefits obtained from using MDR service providers are so significant that Gartner estimates 50 percent of organizations will be using MDR services by 2025 and that the market is growing at a rate nearly five times that of other managed security service (MSS) offerings.
The NSA’s advisory highlights the threat posed by these adversaries, but notes the proactive measures organizations can implement on their own or through a trusted cybersecurity partner.
