Chinese APTs Shift Tactics to Evade Detection and Maintain Stealth
In light of increasing global tensions and heightened scrutiny, Chinese Advanced Persistent Threat (APT) groups are adapting their strategies to avoid detection and maintain stealth in their cyber espionage operations. A new report from Intel 47 sheds light on these evolving tactics, emphasizing the growing reliance on zero-day exploits, living-off-the-land (LOTL) techniques, and operational relay box (ORB) networks.
Zero-Day Exploits Targeting Network Edge Devices
Chinese APTs are increasingly shifting their focus to exploiting zero-day vulnerabilities in network edge devices such as firewalls and VPN gateways. These devices, often overlooked in terms of security monitoring, provide an attractive entry point for attackers seeking to gain access to sensitive networks.
“These devices are internet facing and provide critical services to remote users, but they also are not easily monitored by network administrators due to the lack of endpoint detection and response (EDR) solutions installed,” the report notes. This provides attackers with a “rapid route to privileged local or network credentials on a server with broad access to the internal network.”
The report highlights the growing number of edge-related vulnerabilities being added to the Known Exploited Vulnerabilities catalog and cites examples of Chinese APT groups, such as Volt Typhoon, actively exploiting these vulnerabilities to target critical infrastructure.
Living Off the Land for Enhanced Stealth
To further evade detection, Chinese APTs are increasingly employing LOTL techniques, utilizing legitimate tools and features already present within the target environment. This approach minimizes the need for custom malware and helps attackers blend in with normal network activity.
The report cites examples of APT groups like Flax Typhoon and Volt Typhoon leveraging built-in Windows utilities to carry out their attacks. “Rather than develop highly sophisticated custom malware, nation-state groups increasingly will use LOTL techniques to maintain persistence and undetected access on information technology (IT) networks,” the report states.
Operational Relay Box Networks for Obfuscation
Another key trend identified in the report is the growing use of ORB networks, which are vast infrastructures of compromised devices used to proxy and relay traffic, effectively obscuring the attackers’ true location and identity.
“Chinese ORB networks will continue to develop and mature at pace, reducing APT groups’ dependency on conventional actor-controlled infrastructure,” the report warns. These networks provide a highly scalable and resilient infrastructure for carrying out espionage operations.
A Call for Vigilance
The report concludes with a call for increased vigilance and proactive security measures to counter the evolving threat posed by Chinese APTs. As these groups continue to refine their tactics and techniques, organizations must remain vigilant and adapt their defenses accordingly.
“Global geopolitical developments will continue to heavily influence the Chinese APT threat landscape in terms of targeting, tool sets and TTPs,” the report emphasizes. “The acceleration of improvements in the cybersecurity posture of numerous key targeted countries has compelled Chinese state-sponsored intelligence forces to become more innovative with their attack strategies.”
