IT Service Providers and Customers Warned of Upsurge in Chinese Malicious Cyber Activity

January 5, 2019


The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued a warning about enhanced Chinese malevolent cyber activity targeting IT facility providers such as Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs) and their clients.

The attacks take advantage of trust relationships between IT facility providers and their clients. A successful cyberattack on a CSP, MSP or MSSP can give the attackers access to healthcare networks and confidential patient data.

The DHS Cybersecurity and Infrastructure Security Agency (CISA) have issued technical details on the techniques and tactics used by Chinese threat actors to gain access to facilities providers’ networks and the systems of their clients.

The information has been shared to allow network defenders to take action to obstruct the threats and decrease exposure to the Chinese threat actors’ activities. Guidance has been released for IT facility providers and their clients on the steps that must be taken to improve safety to avoid successful attacks. While a variety of mitigations have been specified, there is no single solution that will work for all businesses and mitigating these malevolent activities can be a complex procedure.

Advice for Customers of IT Facility Providers

Healthcare businesses that use IT facility providers are advised to:

  • Make sure their suppliers have conducted a review to decide if there is a safety concern or has been a compromise.
  • Make sure their IT facility providers have implemented solutions and tools to identify cyberattacks.
  • Review and verify links between healthcare systems and those used by IT facility providers.
  • Confirm all IT facility provider accounts are being used for appropriate purposes.
  • Disable IT facility provider accounts when they are not in use.
  • Make sure business associate agreements require IT facility providers to implement correct safety controls, require logging and monitoring of client systems and links to their networks, and the need to quickly issue notices when doubtful activity is detected.
  • Integrate system log files and network monitoring data into intrusion detection and safety monitoring systems for an independent relationship, aggregation, and detection.
  • Make sure facility providers view US-CERT pages connected to APT groups targeting IT facility providers, specifically TA-18-276A and TA-18-276B.

Advice for IT Facility Providers

IT facility providers have been advised to take the following actions to mitigate the risk of cyberattacks:

  • Make sure the mitigations detailed in US-CERT alerts are completely implemented.
  • Make sure the principle of least privilege is applied to their environments, clients’ data are logically separated, and access to clients’ networks is not shared.
  • Implement advanced network and host-based monitoring systems that look for abnormal behavior that could indicate malevolent activity.
  • Aggregate and correlate log information to maximize the possibility of detection of malevolent activity and account misuse.
  • Work closely with customers to make sure that all hosted infrastructure is carefully monitored and maintained.