Two important pieces of research were released on Sept. 24 that point to China-based espionage activities targeting critical infrastructure globally, including attacks on U.S. defense contractors, source code, and leading network appliances from the likes of SonicWall, Cisco, and Palo Alto Networks.The Google Threat Intelligence Group reported Sept. 24 on Brickstorm, a long-running and likely widespread campaign that went undetected in various victim environments for an average of 393 days.Recorded Future’s Insikt Group also reported Sept. 24 that RedNovember, which Microsoft tracks as Storm-2077, targets perimeter appliances of high-profile organizations using the Go-based backdoor Pantegana and Cobalt Strike.“Brickstorm and RedNovember might overlap, or at least share strategic aims in that they are Chinese-linked espionage,” said Craig Jones, chief security officer at Ontinue. “However, operationally they seem to emphasize different tradeoffs: RedNovember trades some stealth for speed, scale, and ease-of-deployment, whereas Brickstorm prioritizes long-term access and minimal detection. Don’t forget that threat intelligence is based on grouping by technique and target. These are likely intrinsically linked.”Doug Bienstock, security engineering manager at the Google Threat Intelligence Group, explained that during the nearly 400 days the threat actors are in a network environment, they used the backdoor malware to steal proprietary source code and other intellectual property related to enterprise technologies that many other countries use“We believe the threat actors are analyzing the stolen source code to find flaws and zero-day vulnerabilities to exploit in enterprise technology products,” said Bienstock. “The actor is also using their access to exfiltrate mail from key individuals that’s of strategic interest.”The Insikt Group said RedNovember victims include a ministry of foreign affairs in central Asia, a state security organization in Africa, a European government directorate, and a Southeast Asian government. The researchers said RedNovember also likely compromised at least two U.S. defense contractors, and a European engine manufacturer.RedNovember was observed reconnoitering and likey compromising the following edge devices for initial access: SonicWall, Cisco Adaptive Security Appliance, F5 BIG-IP, Palo Alto Networks GlobalProtect, Sophos SSL VPN, and Fortinet FortiGate instances. Other compromises include Outlook Web Access instances and Ivanti Connect Secure VPN appliances.Lauren Rucker, senior cyber threat intelligence analyst at Deepwatch, said the recent activities of Chinese-linked threat groups demonstrate a focus on supply chain attacks to achieve widespread access. Instead of directly targeting every organization, Rucker said these groups compromise software providers and other third-party vendors to then "pick and choose" their ultimate targets from the customer base.“This tactic is similar to the 2020 SolarWinds hack, allowing them to gain access to a multitude of networks through a single, initial breach,” said Rucker. “A key evolution is the use of stolen data to create zero-day vulnerabilities. By stealing source code from widely used enterprise technologies, they can discover new, unpatched flaws [that] can be weaponized in future attacks. This goes beyond typical espionage for data theft and suggests a long-term strategy to build a "library" of attack tools for potential future use.”April Lenhard, principal manager, cyber threat intelligence at Qualys, added that Chinese-linked hacking often aligns with China’s Five-Year Plan goals: think intellectual property theft tied to sectors like energy, aviation, semiconductors, biotech, and AI.“If it fuels China’s strategic ambitions, it’s a likely target,” said Lenhard. “Beijing-backed hacking groups are not smash-and-grab amateurs — they're strategic and patient. To stay safe, companies and agencies need a proactive, risk-informed strategy starting with threat awareness. Map third-party exposure, watch for signs of data exfiltration, and lean on risk operations center for industry-specific intelligence. Against actors like these, cybersecurity is national security.”.
Critical Infrastructure Security, Threat Intelligence, Endpoint/Device Security, Data Security
Two China-backed groups target critical infrastructure globally

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



