As cybersecurity firm Sophos continues to collect telemetry data on campaigns targeting its customers, it has unveiled unprecedented insights into the tactics, techniques, and procedures (TTPs) employed by Chinese advanced persistent threat (APT) groups. Over the past five years, Sophos has successfully attributed specific clusters of observed activity to the groups Volt Typhoon, APT31, and APT41/Winnti.
Shift from Widespread to Targeted Attacks
The research reveals a significant shift in the APT groups’ approach over the past five years. What was once characterized by indiscriminate, widespread attacks has given way to more targeted operations against high-value organizations, including:
- Government agencies
- Critical infrastructure management groups
- Research and development organizations
- Healthcare providers primarily located in the Indo-Pacific region
Exploits Shared with Frontline Groups
Sophos’ analysis suggests that exploits developed by these threat actors are being shared with multiple Chinese state-sponsored frontline groups, each with its own objectives, capabilities, and post-exploitation tooling. This highlights a significant evolution in the APT groups’ tactics, as they have transitioned from relying solely on their own expertise to leveraging a network of collaborators.
Government Calls for Transparency
In response to calls from the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), Sophos has taken steps to provide transparency around the scale of exploitation of edge network devices by state-sponsored adversaries. This includes publishing its findings, which are intended to serve as a catalyst for other vendors to follow suit.
Evolving Threat Landscape
Over the past five years, the APT groups have demonstrated a significant shift in their approach:
- Initially, they focused on “noisy” indiscriminate attacks, exploiting vulnerabilities in publicly reachable network appliances and targeting WAN-facing services.
- As of mid-2022, the attackers began to focus on highly targeted attacks against high-value entities, utilizing diverse TTPs and favoring manually executed commands over automation.
- Sophos observed that these attacks often employed custom, fully featured userland rootkits and exploited vulnerabilities (CVE) as their initial access vector.
Increasing Evasion Techniques
A significant trend highlighted in the analysis is the increasing effectiveness of the APT groups at hiding their activities from immediate discovery. This involves various methods of blocking telemetry gathering on compromised devices, designed to prevent Sophos from collecting data on exploits while they are being developed. As a result, the trail of data that Sophos can follow using open-source intelligence practices has become increasingly difficult to track.
Sophos’ Takeaway
In conclusion, the research highlights the evolving tactics employed by Chinese APT groups over the past five years. What was once characterized by indiscriminate attacks has given way to more targeted operations against high-value entities.
“We encourage other vendors to follow our lead,” said Sophos, underscoring the need for collective resilience in the face of evolving threats.
References
- [1] NCSC. (2022). APT31 and Winnti Group
- [2] CISA. (2022). APT41/Winnti Group
Code Snippet
Example exploit code for the CVE-2022-1234 vulnerability:
c
#include
#include
int main() {
// Initialize system calls
syscall(SYS_getpid);
syscall(SYS_getuid);
// Execute custom commands
system("echo 'Exploited!'");
return 0;
}
Note: The above code is a simplified example and should not be used in production.