Full Report
Chinese hackers are infiltrating the networks of suppliers of “sensitive” manufacturers, according to a Check Point report to be published in the coming weeks
Analysis Summary
# Threat Actor: Unnamed Chinese Hacking Group (Associated with Cyber Espionage)
## Attribution & Identity
The threat actor is described as a Chinese hacking group/nation-state actor. Specific attribution is being withheld by Check Point pending medium confidence assessment, but the tactics show alignment with known Chinese nation-state groups. The group demonstrates similarities to **Volt Typhoon** campaigns targeting critical infrastructure.
## Activity Summary
Check Point is investigating a new, ongoing cyber espionage campaign conducted by this Chinese threat actor. The primary objective of this campaign is **Intellectual Property (IP) theft** to gain a better understanding of the supply chain within targeted industries. The actor is actively infiltrating the networks of suppliers providing components for the manufacturing industry, specifically mentioning suppliers of **chemical products** and **physical infrastructure components (e.g., pipes)**.
## Tactics, Techniques & Procedures
- **Initial Access:** Gaining access through targeted edge devices, including Operational Relay Boxes (ORBs) and poorly secured Internet of Things (IoT) devices (e.g., routers).
- **Exploitation:** Exploiting publicly disclosed, unpatched software or hardware vulnerabilities ("one-days") on edge devices.
- **Attribution Indicators:** Intrusion tactics observed align with known Chinese nation-state groups, and the targeting of ORB devices is a typical cyber espionage tactic by these actors.
- **Campaign Similarity:** Approach shows similarities to **Volt Typhoon** cyber espionage campaigns (2023-2024).
## Targeting
- **Sectors:** Manufacturing industry suppliers, chemical products suppliers, physical infrastructure component suppliers, and "sensitive" domains.
- **Geography:** The US and globally.
- **Victims:** Suppliers of components for the manufacturing industry; some are existing Check Point customers.
## Tools & Infrastructure
- **Malware families used:** Not explicitly named in the provided text.
- **Infrastructure (C2, domains, IPs):** No specific indicators (IPs/domains) were detailed in this summary, though the actor exploits vulnerabilities on edge devices often used as proxies (ORBs/VPS hosts).
## Implications
The actor demonstrates aggressive tactics, exploiting known vulnerabilities even against suppliers who might not traditionally expect nation-state targeting. The focus on supply chain components (chemical/infrastructure) suggests strategic intelligence gathering aiming at deep understanding of critical industrial ecosystems. There is a notable trend of tool/technique sharing among Chinese hacking groups, complicating definitive attribution.
## Mitigations
- Organizations must review their customers, vendors, and partners, recognizing they can be targeted based on their position in a larger supply chain ("seeing themselves in the bigger picture").
- Patch management for edge devices (routers, ORBs, IoT devices) is critical, especially zero-day/one-day vulnerabilities.
- Organizations should not assume they are safe solely based on their direct industry; supply chain risk must be assessed.