An alert has been issued to IT service providers and their customers about an increase in Chinese malicious cyber activity.
The warning was issued by Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT), an organisation responsible for analysing and reducing cyber threats, vulnerabilities, and coordinating incident response activities in the United States. The alert was specifically aimed at making IT service providers such as Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs), and their customers aware of the threat posed by Chinese malicious cyber activity, which is being detected with increasing frequency.
According to the US-CERT’s webpage on China, the threat actors are “actively exploiting trust relationships between information technology (IT) service provides and their customers”. A successful attack may compromise sensitive information belonging to the patients, raising their risk of becoming a victim of identity fraud or having financial information stolen.
In response to the threat, the DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued technical details on the tactics and techniques used by Chinese threat actors to gain access to services providers’ networks and the systems of their customers.
According to US-CERT’s website, the information has been shared to “enable network defenders to identify and reduce exposure to Chinese malicious cyber activity”. The website further states that any known victim of the Chinese hackers have already been notified by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.
Guidance has been released for IT service providers and their customers on the steps that should be taken to improve security to prevent successful attacks. While a range of mitigations have been specified, US-CERT warns that there is “no single solution” and mitigating these malicious activities can be a complex process.
Advice for Customers of IT Service Providers
Healthcare organisations that utilise IT service providers are advised to:
- Ensure their providers have conducted a review to determine if there is a security concern or has been a compromise
- Ensure the IT service providers have implemented solutions and tools to detect cyberattacks.
- Review and verify connections between healthcare systems and those used by IT service providers.
- Verify all IT service provider accounts are being used for appropriate purposes.
- Disable IT service provider accounts when they are not in use.
- Ensure business associate agreements require IT service providers to implement appropriate security controls, require logging and monitoring of client systems and connections to their networks, and the need to promptly issue notifications when suspicious activity is detected.
- Integrate system log files and network monitoring data into intrusion detection and security monitoring systems for independent correlation, aggregation and detection.
- Ensure service providers view US-CERT pages related to APT groups targeting IT service providers, specifically TA-18-276A and TA-18-276B.
Advice for IT Service Providers
IT service providers have been advised to take the following actions to mitigate the risk of cyberattacks:
- Ensure the mitigations detailed in US-CERT alerts are fully implemented.
- Ensure the principle of least privilege is applied to their environments, customers’ data are logically separated, and access to clients’ networks is not shared.
- Implement advanced network and host-based monitoring systems that look for anomalous behaviour that could indicate malicious activity.
- Aggregate and correlate log information to maximise the probability of detection of malicious activity and account misuse.
- Work closely with customers to ensure that all hosted infrastructure is carefully monitored and maintained.
US-CERT advices that all IT service providers and their customers should determine their risk to be “elevated”, and recommends conducting a “dedicated investigation” to identify any suspicious activity on their networks.