China and Cybersecurity: What IT and Security Pros Need to Know

Now it’s time for China’s turn in the cybersecurity spotlight. After focusing almost exclusively on Russia for the first seven months of his presidency, Joe Biden’s White House shifted part of its cybersecurity attention to China on July 12, with the administration blaming hackers associated with one of the country’s security services with carrying out attacks on vulnerable versions of Microsoft Exchange email servers earlier this year.

While Microsoft initially blamed the March incident on a Chinese-linked group called Hafnium, the Biden administration waited nearly five months to formally attribute the attacks. The administration said it needed the time to build evidence while also creating a coalition that included the U.K., NATO and the European Union, which all condemned China and its Ministry of State Security, or MSS, for its role in these threats.

Besides the White House calling out China, the U.S. Justice Department unsealed an indictment against four members of China’s MSS for their roles in various cyber activities, including theft of trade secrets and intellectual property (but not the Exchange attacks). Meanwhile, the National Security Agency and others published a technical paper outlining 50 tools, techniques and procedures used by Chinese attacks or hacking groups associated with the government.

And while the attribution by the White House stopped short of economic or other sanctions against China, a senior administration official explained that the White House felt it was time to call out China’s cyber capabilities and how those have been used against targets both in the U.S. and elsewhere around the world.

“We’ve raised our concerns about both the Microsoft incident and the [People’s Republic of China’s] broader malicious cyber activity with senior PRC government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the senior administration official, who spoke on the condition of anonymity, said. “The U.S. and our allies and partners are not ruling out further actions to hold the PRC accountable.”

On July 26, cybersecurity was one of several issues discussed between Chinese and American leaders during high-level talks, according to the U.S. State Department.

Cybersecurity Issues Hitting Home

While the Biden administration’s concerns over Russia’s and China’s cyber capabilities can seem more akin to international diplomacy rather than cybersecurity, these events have real consequences for IT and security teams that are trying to keep networks safe from attacks, experts noted.

“The simple truth is that the attacks are becoming more sophisticated and harder to stop,” Rita Gurevich, founder and CEO of security firm Sphere, told Dice. “Companies need to focus not only on protection but limiting their cyber-attack surface… Unfortunately, no strategy is foolproof, with threats constantly evolving and growing in frequency, but data and access governance is essential regardless of the source of attacks.”

The attacks on these vulnerable, on-premises Exchange servers, first uncovered in March when Microsoft published an alert, seemed to emphasize those points.

At one point, the attackers targeted tens of thousands of vulnerable Exchange servers around the world, including many small and midsized firms without large security staff or budgets to counter these intrusions. Besides the original attacks, other cybercriminal groups began taking advantage of flaws to launch ransomware and other malware.

And while Microsoft deployed a free mitigation tool that helped stop the bulk of these attacks, the FBI obtained a court order that allowed agents to remove web shells from compromised servers without having to ask permission of organizations first. 

While all this can seem overwhelming, Tim Wade, technical director for the CTO Team at security firm Vectra, said that most organizations should not focus specifically on Russia or China, but on how these attacks change the way security and IT teams respond to risk.

“If ransomware is a concern, whether it is sourced from China or Russia may be much less indicative of the impact than the state of an organization’s internal IT hygiene, identity and access management practices, and the security operation team’s visibility into unfolding attacks with modern detection and response capabilities,” Wade told Dice.

Time to Act

While not every organization might have concerns over Russia or China, cybersecurity experts believe that the recent emphasis by the Biden administration on nation-state and ransomware attacks should serve as a wake-up call for security and IT teams to tighten their defenses.

Heather Paunet, senior vice president at security firm Untangle, noted that, while organizations should study NSA and other documents about how attackers working on behalf of Russia and China operate, these types of events should make enterprises think harder about their security.

“Every company should assume they are or will be the target of a cyberattack and perhaps more closely monitor traffic from one location compared to the other,” Paunet told Dice. “In addition, there are steps, including some best practices from the recent executive order from President Biden, that organizations can take to protect their networks, information and employees.”

Some of the basics that organizations can work on right now that can result in notable security improvements include:

  • Use multi-factor authentication, which will provide an additional layer of protection of sensitive data;
  • Keep software updated, and update and install all software patches expediently to avoid a breach;
  • Backup data to ensure that, even if a network is breached, a backup can revert the machine to the data it had on the day before the attack. This can minimize losses;
  • Organizations should also segregate network access by putting different systems on different networks that are only accessible by the groups of employees that need access. This ensures that fewer systems can be compromised during a breach;
  • Train employees continuously. As security adversaries find new ways to infiltrate networks, keeping employees trained and up-to-date will strengthen network security.

Even with sophisticated nation-state attacks, Wade added, preparing for one scenario or particular attack can help prevent or minimize others, as well.

“Insomuch as external threat awareness promotes the improvement of internal security practices, it’s valuable—but this often falls short of needing to tailor narrow and specific countermeasures against indications of specific nation-state attribution,” Wade said. “Why is this? Because for many attack scenarios, the techniques and tradecraft are common in a wide array of adversaries.”