Chinese hackers have targeted and compromised “major telecommunications companies and network service providers” by exploiting publicly known vulnerabilities in a range of routers and network-attached data storage devices, the National Security Agency, FBI and the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency said in a joint advisory Tuesday.
“Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices,” the agencies wrote in the advisory. “In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.”
The advisory explained the various ways Chinese state-sponsored hackers have routinely exploited publicly identified security vulnerabilities using publicly available exploit code “without using their own distinctive or identifying malware.” The hackers are continuously evolving and adapting tactics to bypass defenses, the agencies said.
The advisory builds on previous advisories from the agencies on the ways Chinese state-aligned hackers go about their activities, including one from July 2021 and another NSA advisory from October 2020.
The level of access allows the hackers to “monitor network defenders’ accounts and actions, and then [modify] their ongoing campaign as needed to remain undetected,” the agencies wrote. The hackers “often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network.”
The advisory included a list of the most commonly exploited vulnerabilities Chinese hackers have used since 2020 against devices from vendors such as Cisco, Citrix, DrayTek, D-Link, Fortinet, MikroTik, Netgear, Pulse, QNAP and Zyxel.
The agencies suggested a range of mitigations including keeping systems and products updated and patched as soon as possible after patches are released, enabling multi-factor authentication on all virtual private network connections and isolating internet-facing services in a network demilitarized zone to reduce the exposure of the internal network.