China-Based Actors Target Think Tanks and NGOs

In the latter months of 2017, China-based threat actors conducted cyber-espionage operations targeting at least four Western think tanks and two non-governmental organizations (NGOs), a notable increase in activity than observed in the previous months. The majority of operations conducted by the actors utilized the China Chopper webshell and credential harvesting tools, such as Mimikatz, to target Microsoft Active Directory infrastructure and steal credentials in order to move laterally across the targeted networks. Second-stage malware was also used and email directory dumps were conducted to obtain a full listing of departments in the targeted organization. The actors were very deliberate in their actions, searching for specific data and showing persistence to compromise specific targets. This activity underscores the changing tactics, techniques, and procedures (TTPs) of China-based hackers, moving away from the indiscriminate and opportunistic exfiltration of data to more targeted intrusions with a specific mission. The NJCCIC recommends US organizations that could be considered valuable targets for nation-state cyber-espionage operations review the CrowdStrike report; educate users on common TTPs and best practices; deploy proactive defenses, such as email gateways, firewalls, and endpoint protection; employ the Principle of Least Privilege on all user accounts; and always keep hardware and software updated.