Seoul, South Korea ― Chinese advanced persistent threat (APT) groups are focusing on vulnerabilities in edge infrastructure—such as virtual private networks (VPN), routers, and email gateways—rather than on weaknesses resulting from individual negligence, according to a security expert at Google Cloud.
Luke McNamara, deputy chief analyst of Mandiant Intelligence at Google Cloud, disclosed the findings at a press briefing in Seoul on Wednesday. During the hour-long presentation, he outlined global and regional cyber threat trends, focusing on activities by Chinese and North Korean APT groups.
Hackers linked to the Chinese government are actively exploiting zero-day vulnerabilities for cyber espionage. A recent research referred to during the briefing shows a sharp increase in zero-day exploits discovered across the security industry over the past four years. From 2015 to 2020, the number of exploits ranged from 19 to 33 annually, but that figure surged to 98 in 2023 alone.
“Chinese APT actors have a particular focus on zero-days in edge infrastructure,” McNamara said. “By that, I mean technologies on the outer perimeter of an organization—such as VPNs, routers, and email gateways. We’re seeing a concentrated effort by Chinese APTs to identify vulnerabilities in these appliances and exploit them to access and compromise larger targets. This highlights their growing emphasis on stealth and avoiding detection in their operations.”
According to McNamara, Chinese threat actors are also using proxy networks known as “operational relay box” (ORB) networks and employing living-off-the-land (LOTL) techniques after gaining access to an organization—both methods designed to evade detection.
ORB networks—composed of compromised Internet of Things (IoT) devices, routers, and rented virtual private servers—operate similarly to botnets. As dynamic, mesh-like networks, they work to obscure cyber espionage activities, making it more challenging to detect attacks, pinpoint the actors behind them, and mount an effective defense, driving up security costs for enterprises.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) describes LOTL techniques as “a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure.” Volt Typhoon, a China-linked APT group active since at least mid-2021, primarily targets critical infrastructure in the United States.
Additionally, the hackers are targeting service providers and telecommunications organizations, potentially gaining access to downstream targets. “This makes it harder for defenders to understand the hackers’ primary target,” McNamara explained.
Beyond Chinese APT operations, McNamara highlighted a concerning trend of North Korean IT workers posing as legitimate software engineers to secure jobs across various sectors, potentially for espionage. These workers also generate revenue for the North Korean regime.
Growing threats occur in two main ways. First, North Korean IT workers are hired for short-term IT jobs, often through freelance job sites, where they collaborate with facilitators, who in most cases are unaware of the true identities of these workers, to secure these positions. This enables them to earn money, which is then sent back to North Korea. Second, these workers are hired by sensitive organizations, such as defense contractors. In such positions they pose an espionage risk, as they can gain access to sensitive information that can benefit the North Korean state.
In some cases, these IT workers have even been found to have ties to North Korean APT groups, according to the expert. Additionally, a case was discovered where a North Korean worker threatened to disclose a company’s confidential information unless he or she was given 2 bitcoins after being fired from the company.
To mitigate the potential risks posed by these hackers, Google Cloud recommends that organizations conduct thorough background checks, including verifying applicants’ identities, work histories, and references. “Pay attention to red flags, such as an applicant’s reluctance to turn on their camera during an interview or their request to have a corporate laptop shipped to an address different from what’s listed on their resume,” McNamara added.
Related article: Chinese hacker group Volt Typhoon expands reach, targeting aging infrastructure worldwide
Volt Typhoon, a Chinese state-sponsored hacking group previously believed to have been curtailed by Western cyber defenses, has reemerged with a more advanced strategy aimed at infiltrating critical infrastructure worldwide, according to findings released Tuesday.
SecurityScorecard’s STRIKE Team report reveals that the hacking collective has shifted tactics, exploiting vulnerabilities in outdated routers at government and industrial facilities. This approach enables them to create a covert global network of compromised devices, or botnets, which they use as entry points to infiltrate critical infrastructure, including electric grids, pipelines, and water systems. READ MORE
