All CISA Advisories, EN

Defending Against China-Nexus Covert Networks of Compromised Devices

Defending against china-nexus covert networks of compromised devices

executive summary

Defending against China-nexus covert networks of compromised devices 

Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it 

Summary

With support from the UK Cyber League, this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners: 

  • Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)
  • Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre)
  • Germany Federal Office for the Protection of the Constitution –   Bundesamt für Verfassungsschutz (BfV)
  • Germany Federal Intelligence Service – Bundesnachrichtendienst (BND)
  • Germany Federal Office for Information Security – Bundesamt für Sicherheit in der Informationstechnik (BSI)
  • Japan National Cybersecurity Office (NCO) – 国家サイバー統括室
  • Netherlands General Intelligence and Security Service – Algemene Inlichtingen- en Veiligheidsdienst (AIVD)
  • Netherlands Defence Intelligence and Security Service – Militaire Inlichtingen- en Veiligheidsdienst (MIVD)
  • New Zealand National Cyber Security Centre (NCSC-NZ)
  • Spain National Cryptologic Centre – Centro Criptológico Nacional (CCN)
  • Sweden National Cyber Security Centre – Nationellt cybersäkerhetscenter (NCSC-SE)
  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • United States Department of Defense Cyber Crime Center (DC3)
  • United States Federal Bureau of Investigation (FBI)
  • United States National Security Agency (NSA) 

Its purpose is to provide network defenders with the tools needed to defend against China-nexus cyber actors and their tactic of using large scale networks of compromised devices (covert networks) to route their cyber activity. 

Introduction  

Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices. 

The NCSC believes that the majority of China-nexus threat actors are using these networks (hereafter “covert networks”), that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices. 

Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks. They have been used by Chinese state-sponsored actors Volt Typhoon to pre-position offensive cyber capabilities on critical national infrastructure. The group Flax Typhoon used a different covert network of compromised infrastructure to conduct cyber espionage. 

The use of covert networks of compromised devices – also known as botnets – to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale.  

This advisory describes the typical makeup of a covert network and what they are being used for. It also includes protective adv

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article: