FBI and MI5 Issue Warning of China Spying: Cyber Threat Intelligence Roundup

In this week’s intelligence report, FBI and MI5 bosses warn of the massive threat posed by China’s quest to become a dominant threat in cyberspace. We also explain how a new red-teaming tool is being abused in the wild by threat actors, and highlight an emerging supply-chain-style attack that leverages malicious NPM packages to harvest sensitive data from applications and websites.

Read on for the latest insights on these developing stories.

1. FBI and MI5 bosses warn of massive China threat

In an unprecedented joint briefing presented to an audience of academic and business leaders on July 6, Director of British intelligence service MI5, General Ken McCallum, and FBI Director Chris Wray emphatically warned of the growing threat posed by the Chinese Communist Party (CCP) to both UK and US national interests.

According to McCallum, China’s Communist Party and the government it controls have been engaged for years in attempts to steal world-leading expertise, technology, research, and any other Western intellectual property (IP) capable of providing a commercial advantage and boosting China’s global standing.

Threat overview: Breaking down China’s campaign tactics

The briefing detailed how China’s campaigns of IP theft take many forms. Common examples include Chinese spies operating undercover on Western soil, mergers and acquisitions (M&A) and technology transfers which bring Western technology to Chinese firms, and the co-opting of local contacts who are often oblivious to what they are doing to further China’s state interests.

Additionally, with regards to China’s offensive cyber operations, a wide range of Western government and commercial targets have been consistently attacked by China-backed advanced persistent threat (APT) groups affiliated with the Chinese Ministry of State Security (MSS) and the People’s Liberation Army (PLA). These professional hacking units assist in carrying out China’s whole-of-state strategy to become the world’s only superpower by any means necessary, which, if all goes as planned, will also result in China emerging as the world’s dominant cyber superpower.

Perhaps even more worrying — depending on how attached you are to the First Amendment — is when Wray argued during the joint address that Beijing isn’t just trying to steal trade secrets and academic research from the West, but also seeks to influence its politics and conduct technical surveillance against activists in the US speaking out against the Chinese government.

A bad week for the CCP

The joint address follows what could very well be the biggest data hack in history, which occurred when a cyber threat actor allegedly exfiltrated an enormous trove of personal information from a Shanghai police database. Last week, a hacker going by the online handle ChinaDan told members of the hacker site Breach Forums that he’d acquired 23 terabytes of data on 1 billion Chinese citizens.

BleepingComputer included an image of the forum post explaining the contents of the data haul. The alleged attacker claimed the databases contain information on 1 billion Chinese national residents, as well as several billion police case records. Included in this data are personal details such as names, addresses, birthplaces, national ID numbers, mobile numbers, and all crime/case details associated with Chinese nationals who have had police contact. China’s government censors are reportedly working overtime to clamp down on the unsettling news that the data they’ve steadily siphoned from their own citizens over the years is apparently up for grabs and is being sold for the relatively paltry sum of approximately $200,000 USD.

According to a Gizmodo article covering China’s attempts at silencing all discussion of the data leak, Reuters’ attempts to track down people included in the database were successful, with respondents confirming that the data contained in the stolen information could only have come from the police, and is primarily representative of police efforts to support the country’s broader surveillance state.

Hacker claims to have stolen data on 1 billion Chinese citizens – @sergheihttps://t.co/3nSC1WRfA7

— BleepingComputer (@BleepinComputer) 2022 年 7 月 4 日

The Chinese government has made no official mention of the hack to reporters, in public, or online. However, The Financial Times reports that government censors have taken down posts on Chinese social media that dared even mention the alleged leak. Ironically, news of the hack and Beijing’s subsequent attempts at censoring its public discussion comes at a time when China’s government has publicly vowed to improve the protection of online user data privacy; looking to its technology giants to take steps to ensure safer data storage.

Key takeaways

At the conclusion of the joint MI5/FBI address, Wray urged business leaders and others to work with the intelligence services when incidents occur.

“Our folks will race out to give you technical details that will help you lessen the effects of an attack. Together, we can also run joint, sequenced operations that disrupt Chinese government cyber-attacks,” Wray says, adding, “We can also help you to ascertain whether the cyber problem you’ve encountered is actually part of a larger intelligence operation, whether the hackers you do see may be working with insiders, or in concert with other corporate threats, that you don’t see.”

McCallum also made a case for collaboration, arguing that the best way to fight China’s whole-of-state approach to espionage and covert influence is “by building trusted partnerships – across our national systems, and, as symbolized today, internationally.”

In a statement that applies equally to the interests of both the US and the UK, he urged local organizations to proactively reach out to their country’s respective cyber agencies rather than wait for an incident to occur.

“Hostile activity is happening on UK [and US] soil right now,” McCallum said. “We don’t need to build walls to shut ourselves off from the rest of the world. We do need to build our awareness – and make conscious choices to grow our resilience.”

Addressing the crowd, the representatives joined each other in emphasizing that “You – the UK’s [and US’s] innovators and technologists, our researchers and scientists, our businesspeople – are one of the UK’s [and US’s] greatest strengths. That’s why you’re being targeted. Let’s not let your success be China’s competitive advantage.”

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Several security experts have predicted a significant increase in China-backed cyber activity targeting the US and its Western allies. The fact that MI5 and the FBI joined forces to publicly say as much in the form of an unprecedented joint address lends further credence to this theory. CTI will be keeping a close eye on the activity of various APTs associated with China; an effort that includes creating and regularly updating threat actor profiles containing actionable intelligence on the Chinese threat actors we perceive as posing the most risk to Tanium and its customers/partners.

As for China’s attempt to cover up what may just turn out to be the biggest data leak in history; well, in August of 2021, China’s National People’s Congress passed a law designed to protect online user data privacy and implemented the policy that November. The Personal Information Protection Law (PIPL) carries fines of up to about $7.7 million or 5% of annual revenue for violators. While it may have appeared to be a win for freedom on the internet for those on the outside looking in, the law’s passage was seen by most as the completion of yet another pillar supporting the country’s efforts to tighten regulations in cyberspace and add more compliance requirements for Chinese companies.

Last month, CISA issued an alert detailing common TTPs and known vulnerabilities targeted by China-backed threat actors; it is likely this was issued in response to – and in anticipation of – increased Chinese cyber activity targeting Western entities.”

2. Red-teaming tool, Brute Ratel C4, now being abused by malicious actors

A recent security research blog by Palo Alto’s Unit 42 details Brute Ratel C4, a red-teaming tool that malicious threat actors are now using to launch attacks. Researchers analyzed a sample uploaded to VirusTotal which received a benign verdict from all 56 vendors that evaluated it.

📢 Palo Alto’s @Unit42_Intel published a report on Brute Ratel C42. This sophisticated red team tool was developed to avoid #endpoint detection & #antivirus capabilities. Protect your network and read https://t.co/hKFWi4wWHB.#Cybersecurity #VulnerabilityManagement #BRc4 #IOCs

— US-CERT (@USCERT_gov) 2022 年 7 月 5 日

What is Brute Ratel C4?

Brute Ratel C4 is a penetration testing/red-teaming tool that came to market in 2020 年 12 月. It’s similar in nature to Cobalt Strike; another red-teaming tool which has become a reliable staple in the arsenals of a wide range of threat actors and cybercriminals.

The tool advertises itself as a customized command and control center for Red Team and adversary simulation operations, and currently boasts over 350 customers. The tool allows an organization to simulate a cyberattack and test the effectiveness of its security controls.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The use of penetration testing tools by threat actors is not a novel phenomenon. Threat actors have been taking advantage of penetration testing tools like Burp Suite, Cobalt Strike, and Metasploit for years.

The tools are a double-edged sword, in that they can be incredibly valuable for organizations seeking to test the security controls within their environment, but can simultaneously act as a ready-made tool when weaponized by threat actors. The fact that such tools are often user-friendly and feature a low barrier to entry only compounds this fact; making tools like Brute Ratel C4 accessible to an even wider range of cybercriminals regardless of their degree of technical sophistication.

A threat actor utilizing such tools can be difficult to detect, as the activity may be masked by a red team’s legitimate testing activity in the environment. This highlights the need for organizations to detect and monitor the usage of penetration testing tools within the environment and ensure the origin and legitimacy of each tool in use.

It’s also worth highlighting the fact that threat actors have been observed utilizing LNK files to download Brute Ratel C4. The abuse of LNK files by cybercriminals is trending as of late, with the files quickly becoming associated with prominent threats.”

3. NPM software supply chain attack grabs data from apps, websites

Researchers at ReversingLabs have uncovered a widespread campaign to install malicious NPM modules that harvest sensitive data from forms in mobile applications and websites. The coordinated attack is known as IconBurst.

Campaign details

IconBurst contains roughly two dozen malicious NPM packages which include obfuscated JavaScript with malicious code designed for harvesting sensitive user data via embedded forms on downstream mobile applications and websites.

According to ReversingLabs, the packages date back at least six months. ReversingLabs also claims to have evidence of a coordinated supply chain attack featuring many NPM packages containing JQuery scripts capable of stealing data from the applications that leverage them.

The IconBurst campaign’s malicious attacks rely on a strategy called typo-squatting, which is similar to the strategy employed in the recently-discovered (and ultimately benign, as they were discovered to be the work of an over-eager pen-tester) dependency confusion attacks (also reported by ReversingLabs) that appeared to target German organizations.

With typo-squatting, attackers distribute malicious packages by giving them names that, at a glance, appear to be legitimate packages. They accomplish this using common misspellings or similar words that trick less scrutinous users into leveraging the spoofed packages. For example, in one instance observed by ReversingLabs, data exfiltrated by icon-package was routed to a domain named ionicio[.]com, a lookalike page engineered to resemble the legitimate ionic[.]io website.

According to ReversingLabs, the attackers “impersonated high-traffic NPM modules like umbrellajs and packages published by ionic.io. However, it is the end users of software (and their data) rather than development organizations that are the real targets.”

Impact/scale

The packages in question, most of which were published in the last months, have been collectively downloaded more than 27,000 times to date. Worse, most of the modules continue to be available for download from the iconic.io repository.

While the full extent of this attack isn’t yet known, the malicious packages discovered by ReversingLabs’ researchers are likely used by hundreds, if not thousands of downstream mobile and desktop applications and websites. In one case, a malicious package had been downloaded more than 17,000 times.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“While this discovery is certainly concerning, let’s all keep in mind that ReversingLabs has previously been guilty of “jumping the gun” when reporting suspected malicious activity in the past; before being certain of its origins (see the German campaign referenced above). With this in mind, we advise that at this time readers treat this source of information with medium confidence, as we do. That being said, the evidence of typo-squatting and code obfuscation presented within their findings seems fairly ironclad.

Furthermore, the malware authors behind the campaign have since altered their methodology to maximize returns by harvesting information from every form element on each weaponized application and webpage – indicative of an increasingly aggressive approach to data harvesting, or an attacker or attackers trying to maximize returns before the public disclosure of their campaign burns their operation. Also worrying is the apparent success of the attack, and the number of downloads involved, as it serves to highlight both the tendency of developers to be overconfident of the legitimacy of popular packages, as well as a lack of effective barriers when it comes to keeping malicious/vulnerable code from entering sensitive development and IT environments.”

Is your business at risk? Take our risk assessment and find out

The cyber threat landscape is vast and ever-changing, with new threats constantly emerging. Your endpoints are at risk from numerous campaigns and threat actors. And it’s only a matter of time before cybercriminals breach your defenses and penetrate your network.

Take this opportunity to check your organization’s cybersecurity readiness with our Tanium Risk Assessment. Get your free risk report today.