Mar 17, 2023 - Technology

China-backed espionage is getting harder to spot, researchers say

Illustration of a computer keyboard with a red return key resembling China's flag

Illustration: Annelise Capossela/Axios

Suspected China-linked hacking groups are continuing to build on a new tactic targeting internet-facing security tools as a way of stealthily breaking into some of the most data-rich organizations, researchers at Google-owned Mandiant warn.

Driving the news: In a report Thursday, researchers said they've uncovered a new bug targeting software security company Fortinet, which makes firewalls, antivirus programs and similar tools. The Wall Street Journal first reported on the new bugs.

  • The new report is the fifth that Mandiant has released in two years in which suspected China-affiliated hackers have targeted internet-facing security tools. Other affected product-makers include SonicWall, VMware and Citrix.
  • Charles Carmakal, chief technology officer at Mandiant, told the WSJ it's likely that "the problem is a lot bigger than we know today."

What they're saying: "Given how incredibly difficult they are to find, most organizations cannot identify them on their own," Carmakal said in a statement to Axios. "It’s not uncommon for Chinese campaigns to end up as multi-year intrusions."

The big picture: The Biden administration has been laser-focused on cracking down on China-linked espionage and hacking threats.

  • Last week, the intelligence community said in its 2023 worldwide threats report that China is the "broadest, most active and persistent" cyber espionage threat to the U.S.
  • Earlier this week, the Committee on Foreign Investment in the United States reportedly told TikTok that, due to surveillance and other national security concerns, it would be banned in the U.S. if its Chinese parent company, ByteDance, refused to sell its stake.

Details: Mandiant uncovered two new malware strains, dubbed CastleTap and ThinCrust, targeting recently-patched flaws in Fortinet products to access defense, government, telecom and technology companies.

  • In one scenario detailed in the report, hackers injected malicious code onto the FortiManager security management tool while it was connected to the internet.
  • That code then allowed the hackers to establish a "backdoor" onto the network that they could easily use to install malware and move laterally to other products connected to the network.

The intrigue: By targeting internet-facing security tools, malicious actors can gain access to a network without having to interact with a human — as opposed to most other malware schemes, which require someone to click on a phishing link or install a corrupted app.

  • Without that interaction, the attacks are much more difficult to notice, allowing intruders more time to collect data and other information.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper