Full Report
The CNCERT said it had “handled’ two attacks on Chinese tech companies, which it attributed to an unnamed suspected U.S. intelligence agency. The post Chinese cyber center points finger at U.S. over alleged cyberattacks to steal trade secrets appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Suspected U.S. Intelligence Agency (As alleged by CNCERT)
## Attribution & Identity
The threat actor is identified by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) as an **unnamed suspected U.S. intelligence agency**. CNCERT is described as a non-governmental non-profit cybersecurity technical center, overseen by the Ministry of Industry and Information Technology.
## Activity Summary
CNCERT alleged that this suspected U.S. entity was responsible for two cyberattacks against Chinese technology companies aimed at stealing trade secrets:
1. **Attack 1 (August 2024):** Targeted "a certain advanced material design and research unit." The attackers compromised the system via a vulnerability in a document management system, installing Trojans across more than 270 hosts.
2. **Attack 2 (May 2023):** Targeted a "large-scale high-tech enterprise" in China’s "smart energy and digital information industry." This intrusion involved exploiting Microsoft Exchange vulnerabilities to implant backdoors and gain control of the company's mail server and subsidiaries' devices.
These allegations are part of a pattern where China escalates claims regarding U.S. cyberattacks, often coinciding with U.S. public accusations against Chinese actors (such as those related to the "Salt Typhoon" breaches).
## Tactics, Techniques & Procedures
- Exploitation of vulnerabilities in document management systems for initial access.
- Exploitation of **Microsoft Exchange vulnerabilities** for initial access.
- Installation of **Trojans** onto numerous hosts (over 270 in one instance).
- Implantation of **backdoors** following initial network access.
- Gaining control over mail servers and subsidiary devices.
- **Objective:** Stealing trade secrets.
## Targeting
- **Sectors:** Advanced Material Design and Research; Smart Energy and Digital Information Industry (High-Tech Enterprise).
- **Geography:** China (Victims located within China).
- **Victims:**
- A "certain advanced material design and research unit."
- A "large-scale high-tech enterprise in China’s 'smart energy and digital information industry.'"
## Tools & Infrastructure
- **Malware families used:** Trojans, Backdoors (specific names not provided).
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the summary, other than referencing the exploitation of existing infrastructure software/servers.
## Implications
This activity highlights the ongoing, high-stakes state-sponsored cyber espionage competition between the U.S. and China, specifically focusing on the theft of critical trade secrets necessary for technological and industrial advancement. The counter-accusation pattern suggests an effort by China to deflect attention from its own documented cyber espionage activities.
## Mitigations
- Comprehensive patching, particularly for internet-facing services like **Microsoft Exchange**.
- Rigorous security monitoring and inventory management for document management systems.
- Enhanced detection capabilities for **Trojans** and **backdoors** across the internal network.
- Securing software upgrade management servers.