SAN FRANCISCO – National Security Agency (NSA) Cybersecurity Director Rob Joyce said on Wednesday that U.S. authorities are combatting Chinese state-sponsored actors through a long-term strategy that is “outcome-driven, alliance-centric and deliberately sequenced to impose cost.”
China has become a “brazen” force, said Joyce, both launching large-scale, sophisticated IP theft attacks and focusing on newer, emerging threats like disinformation campaigns. In response, the U.S. is using a mixture of diplomatic processes, economic sanctions, as well as tight collaboration with the private industry in order to weed out campaigns and expose infrastructure and tradecraft leveraged by Chinese state-sponsored actors. The goal is to make the actors “question whether they can sustain and absorb the economic and political pressure from mounting these types of campaigns,” he said.
“Russia is like a hurricane… loud, aggressive and it is the near-term threat right now… but China is climate change, they are the long-term pacing threat for us,” said Joyce during a session this week at RSA. “If you look at the challenge we have ahead of us, we have to be ready to deal with China.”
China-based actors are known for widespread exploitation of known vulnerabilities in devices that have not yet been patched. In 2020, the NSA released a list of 25 vulnerabilities that were being targeted by Chinese state-sponsored actors, which existed in devices from manufacturers like F5, Microsoft and Oracle. More recently, this week the NSA (in partnership with other U.S. agencies) warned that Chinese-backed threat actors have been leveraging several known flaws in network devices since 2020 in order to steal data.
Part of the challenge around Chinese state-sponsored actors is that they appear unfazed when their malicious activity is discovered, said Joyce. After the Hafnium group was exposed using zero-day vulnerabilities in Microsoft Exchange to gain access to target servers and then steal the contents of users’ inboxes, for instance, instead of quietly backing out the threat group ran scripts that hit every vulnerable device they could see and gathered thousands of Exchange servers, gaining strategic ground for future operations, said Joyce.
“Russia is like a hurricane… loud, aggressive and it is the near-term threat right now… but China is climate change, they are the long-term pacing threat for us.”
“When [the campaign] was discovered, they didn’t slink away,” said Joyce. “Often you get an APT, a nation-state actor, [and they usually] try to exit quietly, walk away from the infrastructure, not continue the operations. But in fact what we saw was that they downshifted and they hit the gas pedal.”
Chinese state-sponsored actors are also stealthy, launching their attacks from trusted devices that won’t immediately trigger SOC alerts. Often the infection chain used by Chinese threat actors involves different “legs,” including using a VPS and common pentesting tools to mask their activity and scanning and exploiting networks for recently disclosed vulnerabilities in routers for access. In response to these campaigns the U.S. government has been taking a multi-pronged approach to put pressure on Chinese nation-state actors. Joyce highlighted the NSA’s work leveraging its team of vulnerability researchers to uncover a number of Microsoft Exchange zero-day remote code execution vulnerabilities in 2021.
“Knowing that the Chinese were focused and aggressively willing to use Exchange vulnerabilities, we thought it was important that we take that box, shake it until vulnerabilities fell out and see that we could close them,” he said. “And so that was another action, that deterrence by denial, making sure we could keep them out in the next state.”
The NSA has also attempted to battle the Chinese state-sponsored threat through fostering solid partnerships with the private industry. The government has tried to step up in providing actionable information for threat defenders based on intelligence that describes a comprehensive breakdown of CVEs and tradecraft used by Chinese actors. At the same time, through relationships built via the NSA’s Cybersecurity Collaboration Center, industry partners who may detect malicious activity on their networks can tip the NSA off to look into “the foreign space” to find the other end of the potential threat and “work backwards and upstream,” said Joyce.
“One thing they leverage is our privacy protections… the idea that it is a blind spot where we at NSA can look into foreign space but we can’t look into that domestic space,” said Joyce. “That’s where the partnership with industry who owns and operates this has to be really tight.”