May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 09, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Key Points
In keeping with the other Threat Spotlight Reports in our series on operational technology (OT), this report examines the threat posed by Chinese APT groups to OT. We analyze four key Chinese cyber attacks with an OT element—targeting companies that are major users of OT or using TTPs that align with the MITRE Industrial Control Systems (ICS) Matrix—from the past 12 months. We review the common TTPs used in these cyber incidents and provide key detection and mitigation advice. This report will be particularly useful for organizations that have, or that are planning to incorporate, OT in their infrastructure.
China’s strategic interests—the “Belt and Road” and “Made in China 2025” initiatives—along with strained geopolitical relations on multiple fronts (including South China Sea territorial disputes, Taiwan’s sovereignty, and repeated clashes with the US) have escalated its need for information. The ability to access, control, manipulate, and destroy information will provide Beijing with a significant advantage, growing commercial success for Chinese companies, and—in the event of war—informing its military strategies.
APT groups have become essential to the Chinese Communist Party (CCP)’s extensive cyber campaigns. While some of these threat groups conduct a mix of financially and politically motivated attacks, many of them primarily carry out cyber espionage and intelligence-gathering operations at the behest of Chinese security bureaus. ReliaQuest recently published a report on the Chinese hacking ecosystem that shows the business relationship between Chinese APT groups and private security contractors.
The following incidents are indicative of how China is relying on APT groups to disrupt OT environments. One of the objectives of such operations is likely to, in the event of conflict with the US or US allies, possibly disrupt or damage critical infrastructure to slow down the US’ military and political responses.
In the past 12 months, Chinese threat groups including APT27, APT31, BlackTech, and Volt Typhoon have targeted organizations that use OT. Below, we take a closer look at each incident.
In January 2024, the US government disclosed that it had disrupted the botnet that the Volt Typhoon group used to conceal the origin of its activities, which included the targeting of critical infrastructure organizations in the US and other countries. The botnet mainly consisted of Cisco and NetGear routers that had reached their end-of-life status, which meant they were no longer receiving security patches or updates from the manufacturers. Volt Typhoon used multi-hop proxies—typically composed of virtual private servers (VPSs) or small office/home office (SOHO) routers—for command-and-control (C2) infrastructure. US security agencies asserted with high confidence that Volt Typhoon was pre-positioning itself on critical IT networks, with the aim of disrupting OT functions across various sectors.
In October 2023, APT27 targeted semiconductor companies in Hong Kong, Singapore, and Taiwan in a cyber-espionage campaign, impersonating the Taiwan Semiconductor Manufacturing Company to deliver Cobalt Strike beacons. The threat group leveraged the “HyperBro” loader and a new malware downloader to deliver additional malware. A compromised Cobra DocGuard web server was also used to host second-stage binaries, including a Go-based backdoor, “ChargeWeapon.” ChargeWeapon is typically used to get remote access and send device and network information from a compromised host to APT27’s C2 server.
In September 2023, US and Japanese authorities warned that BlackTech was modifying branch router firmware without detection to pivot from certain organizations’ international subsidiaries to their corresponding headquarters in Japan and the US. BlackTech targeted several sectors that heavily depend on OT, including wholesale trade; information; and professional, scientific, and technical services. BlackTech attacks typically begin with spearphishing emails that contain backdoor-laden attachments that deploy malware to harvest sensitive data.
In August 2023, cybersecurity researchers reported that APT31 had compromised numerous industrial organizations in Eastern Europe to siphon data from air-gapped systems in 2022. The threat group used multiple malware variants to establish persistent remote access and gather sensitive information, which they then sent to infrastructure controlled by the group. Its toolkit included the “FourteenHi” malware family and the first-stage backdoor “MeatBall.” APT31 used Yandex Cloud for C2.
The Volt Typhoon attack stands out from the other three incidents—it was the only attack whose goal was specifically to disrupt OT systems. During the attack, Volt Typhoon attempted to gain access to OT assets by using default OT vendor credentials (T0812). Some credentials—those previously compromised via NTDS.dit theft (T0859) —proved fruitful. Once the group gained access, it had multiple options for disruption: it could have manipulated heating, ventilation, and air conditioning (HVAC) systems in server rooms (T0831, T0847); disabled critical energy and water controls (T0880); and accessed camera surveillance systems at OT facilities. Because its botnet was taken down, it’s unclear what its specific action plan was. It is clear, though, that the ability to impact these sectors would provide China with a significant opportunity.
The other three incidents also had an OT element, but were primarily conducted for espionage—their use of multiple backdoors throughout the different stages of the attacks indicated that data exfiltration was key.
Despite their differences, all four attacks had TTPs in common. Below, we’ll show how these TTPs were used in each case study and provide recommendations for each.
Examples
Recommendations
Collaborations between Chinese APT groups have resulted in frequent overlapping of TTPs and toolsets, making attributing Chinese APT activity challenging. This longstanding cooperation (e.g., pooled resources) is almost certainly going to continue, with cyber operations remaining aligned with the CCP’s broader strategic interests. Chinese APT activity will almost certainly retain its distinct qualities: frequent zero-day exploitations, scrupulous attention to maintaining persistence and remaining undetected, and sophisticated social engineering tactics.
As geopolitical events concerning China continue to develop around the world, Chinese threat actors are likely to increasingly turn to targeting OT devices and network to exfiltrate valuable information and potentially to cause disruption or gain control of a country’s critical infrastructures in the long-term future. OT assets are highly likely to continue to lag in security patching, providing cyber perpetrators an extended window of opportunity for exploitation.
The ReliaQuest Threat Research team will continue to monitor these groups and their TTPs, providing detections to our customers and recommendations to the broader public to protect against the associated threats.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.