Pierluigi Paganini February 19, 2023

A joint report published by ENISA and CERT-EU warns of Chinese APTs targeting businesses and government organizations in the European Union.

The European Union Agency for Cybersecurity (ENISA) and CERT-EU warn of multiple China-linked threat actors targeting businesses and government organizations in the EU.

The joint report focus on cyber activities conducted by multiple Chinese Advanced Persistent Threat (APT) groups, including APT27, APT30, APT31, Ke3chang, GALLIUM and Mustang Panda.

“The EU Cybersecurity Agency (ENISA) and the CERT for the EU institutions, bodies and agencies (CERT-EU) would like to draw the attention of their respective audiences on particular Advanced Persistent Threats (APTs), known as APT27, APT30, APT31, Ke3chang, GALLIUM and Mustang Panda. These threat actors have been recently conducting malicious cyber activities against business and governments in the Union.” reads the joint report. “These threat actors present important and ongoing threats to the European Union. Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organisations of strategic relevance.”

The European agencies are calling for all public and private sector organisations in the EU to apply the recommendations provided in the alert. The alert urges organizations to improve their cybersecurity posture and increase their resilience to cyberattacks.

The alert provides recommendations for prevention, detection, and response.

To prevent such attacks the agencies recommend:

• Follow the security best practices proposed by vendors to harden their products and manage high privileged accounts and key assets.
• Strive to maintain current physical and virtual asset inventories.
• Block or severely limit egress Internet access for servers or other devices that are seldom rebooted.
  Implement best practices for identity and access management.
• Adopt a backup strategy.
• Ensure tight and proper access controls for end users and, most crucially, external third-party
  contractors with access to internal networks and systems.
• Use network segmentation to isolate critical systems, functions, or resources – specifically implement
  isolation in regards of interconnections with Internet and third parties.
• Secure your cloud environments before moving critical assets there.
• Implement a resilient email policy that includes adequate mechanisms for filtering and scrutinising malicious content. A secure email gateway can further enhance the protection of the recipients.
• Consider preventing attacks based on the so-called Pass-the-Ticket technique on Active Directory environments.
• Invest in cybersecurity education.

To detect malicious cyber activities, the European agencies recommend:

• Implement robust log collection and regularly review alerts triggered by security components.
• Monitor the activities of devices in your network with appropriate tools.
• Use carefully curated cyber threat intelligence to proactively search your logs for possible signs of
• compromise.
• Detect traces of compromise in your network through well-conceived, regular threat hunting based, for example, on the MITRE ATT&CK® framework.
• Use intrusion detection signatures and NetFlow to spot suspicious traffic at network boundaries and detect conditions that may indicate software exploitation or data exfiltration.
• Invest in detecting lateral movements which exploit NTLM and Kerberos protocols in a Windows
• environment.
• Train your users to immediately report any suspicious activity to your local cybersecurity team.

The report also provides recommendations to improve the response to the incident. Organizations are urged to create and maintain an incident response plan and assess the incident severity.

The document also includes an overview of the China-linked threat actors that are targeting EU organizations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chinese APTs)