ENISA and CERT-EU warns Chinese APTs targeting EU organizations

A joint report published by ENISA and CERT-EU warns of Chinese APTs targeting businesses and government organizations in the European Union.

The European Union Agency for Cybersecurity (ENISA) and CERT-EU warn of multiple China-linked threat actors targeting businesses and government organizations in the EU.

The joint report focus on cyber activities conducted by multiple Chinese Advanced Persistent Threat (APT) groups, including APT27, APT30, APT31, Ke3chang, GALLIUM and Mustang Panda.

“The EU Cybersecurity Agency (ENISA) and the CERT for the EU institutions, bodies and agencies (CERT-EU) would like to draw the attention of their respective audiences on particular Advanced Persistent Threats (APTs), known as APT27, APT30, APT31, Ke3chang, GALLIUM and Mustang Panda. These threat actors have been recently conducting malicious cyber activities against business and governments in the Union.” reads the joint report. “These threat actors present important and ongoing threats to the European Union. Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organisations of strategic relevance.”

The European agencies are calling for all public and private sector organisations in the EU to apply the recommendations provided in the alert. The alert urges organizations to improve their cybersecurity posture and increase their resilience to cyberattacks.

The alert provides recommendations for prevention, detection, and response.

To prevent such attacks the agencies recommend:

Follow the security best practices proposed by vendors to harden their products and manage high privileged accounts and key assets.
Strive to maintain current physical and virtual asset inventories.
Block or severely limit egress Internet access for servers or other devices that are seldom rebooted.
Implement best practices for identity and access management.
Adopt a backup strategy.
Ensure tight and proper access controls for end users and, most crucially, external third-party
contractors with access to internal networks and systems.
Use network segmentation to isolate critical systems, functions, or resources – specifically implement
isolation in regards of interconnections with Internet and third parties.
Secure your cloud environments before moving critical assets there.
Implement a resilient email policy that includes adequate mechanisms for filtering and scrutinising malicious content. A secure email gateway can further enhance the protection of the recipients.
Consider preventing attacks based on the so-called Pass-the-Ticket technique on Active Directory environments.
Invest in cybersecurity education.

To detect malicious cyber activities, the European agencies recommend:

Implement robust log collection and regularly review alerts triggered by security components.
Monitor the activities of devices in your network with appropriate tools.
Use carefully curated cyber threat intelligence to proactively search your logs for possible signs of
compromise.
Detect traces of compromise in your network through well-conceived, regular threat hunting based, for example, on the MITRE ATT&CK® framework.
Use intrusion detection signatures and NetFlow to spot suspicious traffic at network boundaries and detect conditions that may indicate software exploitation or data exfiltration.
Invest in detecting lateral movements which exploit NTLM and Kerberos protocols in a Windows
environment.
Train your users to immediately report any suspicious activity to your local cybersecurity team.

The report also provides recommendations to improve the response to the incident. Organizations are urged to create and maintain an incident response plan and assess the incident severity.

The document also includes an overview of the China-linked threat actors that are targeting EU organizations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chinese APTs)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.