China-Backed Hackers Escalate Cyber Campaigns, Targeting Operational Technology

A comprehensive report from ReliaQuest Threat Research reveals a concerning trend in China-linked cyberattacks: a sustained focus on compromising Operational Technology (OT) environments within critical infrastructure sectors. These attacks indicate a shift beyond conventional cyberespionage towards long-term capabilities potentially designed to disrupt or sabotage essential services.

Understanding the Importance of Operational Technology (OT)

Operational Technology (OT) systems manage industrial machinery, power grids, transportation networks, and other vital infrastructure that directly impact our physical world. Historically isolated, OT systems are increasingly connected and vulnerable to attack.

China’s Strategic Motivations

China’s geopolitical ambitions, fueled by initiatives such as the “Belt and Road” and “Made in China 2025,” necessitate information dominance and the potential to disrupt competitors. Compromising OT systems offers a powerful means to gather sensitive data, gain commercial advantages, and lay the groundwork for targeted attacks in the event of conflict.

APT groups are the hidden arm of China’s cyber strategy, carrying out operations that blend espionage with sabotage. While some of these groups juggle financial gain with political objectives, a significant number are deeply entrenched in cyber espionage activities, acting under the directives of Chinese security apparatuses. The ReliaQuest report highlights how these groups, in conjunction with private security contractors, form a sophisticated ecosystem executing Beijing’s cyber ambitions.

Analysis of Notable Attacks

The past year has witnessed several high-profile cyber incidents orchestrated by China-linked APT groups such as APT27, APT31, BlackTech, and Volt Typhoon. These incidents underscore a worrying trend: the deliberate targeting of organizations reliant on operational technology. For instance, the Volt Typhoon group’s disruption attempts on US critical infrastructure via a sophisticated botnet underscore the dual-use nature of cyber operations.

• APT27’s impersonation of the Taiwan Semiconductor Manufacturing Company to deliver malicious payloads, and BlackTech’s firmware modifications for lateral movement, highlight a sophisticated blend of espionage with an eye on OT environments. These operations not only aim to steal sensitive information but also to understand and map out critical infrastructure for potential future disruption.
• The APT31 incident, involving attacks on air-gapped industrial systems in Eastern Europe, serves as a stark reminder of the lengths to which these groups will go to infiltrate the most secure environments. Utilizing a cocktail of malware variants, APT31’s operations underscore the strategic importance of industrial espionage, potentially laying the groundwork for more destructive operations.

Common Attack Techniques

The report elaborates on several common TTPs employed by these APT groups, offering a glimpse into their modus operandi. From exploiting public-facing applications to leveraging PowerShell for script execution, these strategies reflect a deep understanding of target networks and the creative use of legitimate tools for illegitimate purposes.

ReliaQuest highlights these recurring tactics leveraged by China-backed threat actors:

• Exploiting Public-Facing Vulnerabilities: Unpatched firewalls, routers, and other internet-connected devices provide an entry point.
• Masquerading Operations: The use of stolen credentials, legitimate-sounding filenames, and obfuscation techniques help attackers evade detection.
• Custom Toolsets: Advanced malware and backdoors allow persistent access, data exfiltration, and the potential for future disruption.

Escalating Threat Landscape

This report underscores the evolving threat landscape faced by critical infrastructure operators. China’s targeting of OT indicates a sophisticated, long-term strategy aligned with its national goals.

Calls to Action

• Prioritize OT Security: Organizations must elevate OT cybersecurity investments, applying robust patching practices, network segmentation, and advanced threat detection solutions.
• Government Collaboration: International cooperation and information sharing are crucial to counter this multifaceted threat to critical infrastructure.

Conclusion

The ReliaQuest report serves as a stark reminder of the escalating risks to vital systems underpinning our society. Heightened vigilance and proactive defense strategies now take on paramount importance.