Introduction
The Canadian Centre for Cyber Security (Cyber Centre) is warning that the People’s Republic of China (PRC) is increasingly targeting Canadians and Canadian organizations through the scale and scope of its cyber operations. This cyber bulletin aims to raise awareness among both individuals and organizations and urges all Canadians to be vigilant of this threat.
PRC cyber threat activity outpaces other nation state cyber threats in volume, sophistication and the breadth of targeting. The Cyber Centre has observed widespread targeting by the PRC and this activity poses a serious threat to Canadian entities across a range of sectors. The activity has targeted:
- all levels of government
- critical infrastructure
- industry, including the Canadian research and development sector
It’s important to note that if the Cyber Centre is aware of cyber threat activity targeting an entity, we alert the target to that threat.
“The threat from China [to Canadian organizations] is very likely the most significant by volume, capability, and assessed intent.”
Cyberespionage
PRC cyber threat actors often serve direct or indirect requirements of the PRC intelligence services. Their targets frequently reflect the national policy objectives of the PRC. These cyber threat actors routinely seek information that will provide an economic and diplomatic advantage in the PRC-Canada bilateral relationship, as well as information related to technologies prioritized in the PRC’s central planning.
Networks of Government of Canada agencies and departments have been compromised by PRC cyber threat actors multiple times over the past few years. All known compromises have been addressed. The Cyber Centre observes near constant reconnaissance activity by the PRC against Government of Canada systems. However, federal government networks are not the only networks that are used to store and communicate information that could provide valuable intelligence to the PRC. In particular, all levels of government in Canada should be aware of the espionage threat posed by PRC cyber threat actors.
PRC cyber threat actors also frequently aim to collect large datasets containing personal information, likely for the purposes of bulk data analysis and target profiling.
Example targets of concern
- Federal, provincial, territorial, municipal and Indigenous government entities;
- Any organization or individual in close partnership with government entities;
- Universities, labs and science and technology companies engaged in research and development of technologies prioritized in PRC central planning; and
- Individuals or organizations that the PRC deems a threat – particularly those individuals advocating for Taiwan and Hong Kong independence and Chinese democracy.
Computer network attack
We echo the concerns made by U.S. partners about PRC cyber threat groups prepositioning network access for potential computer network attack against North American critical infrastructure in the event of conflict in the Indo-Pacific. Computer network attacks designed to damage, disrupt or destroy critical infrastructure networks and IT systems during heightened geopolitical tensions, military conflicts or both would cause societal panic and delay the deployment of the U.S. military.
Energy, telecommunications and transportation are the sectors of greatest concern. However, critical infrastructure owners and operators should be aware of the potential for computer network attacks against their organizations in the event of potential geopolitical tensions or military conflicts.
This is not just a concern for American owners and operators. The Cyber Centre assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well due to interoperability and interdependence in the sectors of greatest concern.
Concerning trends in PRC cyber threat activity
It is difficult to generalize our technical concerns due to the scale and diversity of PRC cyber threat actors. That said, the following observations drawn from prior advisories and statements reflect some of our most serious concerns. These should be taken into consideration when defending against and mitigating PRC cyber threat activity:
- PRC cyber threat actors frequently co-opt compromised small office and home office (SOHO) routers to conduct cyber threat activity and avoid detection.
- PRC cyber threat actors frequently “live off the land” using the built-in network administration tools of a system rather than specialized malware to conduct malicious activity. This technique helps cyber threat actors blend into normal system traffic and avoid detection by network defenders. This activity demonstrates a degree of sophistication and agility and shows that PRC cyber threat actors are not limited to a particular technique.
- PRC cyber threat actors frequently attempt to compromise trusted service providers (such as telecommunications, managed service providers and cloud service providers) to access client information or networks.
- PRC cyber threat actors rapidly weaponize and proliferate exploits for newly revealed vulnerabilities. This suggests an ongoing risk of indiscriminate exploitation of vulnerable systems. It is therefore essential that system owners apply all critical security updates as quickly as possible.
Mitigation guidance
The Cyber Centre encourages the Canadian cyber security community, especially provincial, territorial and municipal governments, to bolster their awareness of and protection against PRC state-sponsored cyber threats. We join our partners in the U.S. and the UK in recommending proactive network monitoring and mitigations.
The Cyber Centre urges provincial, territorial and municipal governments as well as critical infrastructure network defenders to adopt the following measures:
- Be prepared to isolate critical infrastructure components and services from the Internet and corporate or internal networks, should they be considered attractive to a hostile threat actor to disrupt. When using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
- Increase organizational vigilance. Monitor your networks with a focus on the tactics, techniques and procedures (TTPs) reported by the Cyber Centre and its partners. Ensure that cyber security and IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behaviour. Enable logging in order to better investigate issues or events.
- Restrict intruders’ ability to move freely around your systems and networks. Pay particular attention to potentially vulnerable entry points (such as third-party systems with onward access to your core network). During an incident, disable remote access from third-party systems until you are sure they are clean. Consult the National Cyber Security Centre’s publications on preventing lateral movement and assessing supply chain security to learn more.
- Enhance your security posture. Patch your systems with a focus on the vulnerabilities outlined in the Cybersecurity and Infrastructure Security Agency’s advisory on PRC state-sponsored actors compromising and maintaining persistent access to U.S. critical Infrastructure and enable logging around backup. Deploy network and endpoint monitoring (such as anti-virus software), and implement multi-factor authentication where appropriate. Create and test offline backups.
- Have a cyber incident response plan, as well as continuity of operations and communications plans. Be prepared to use them.
- Contact the Cyber Centre to inform us of suspicious or malicious cyber activity.
Useful resources
Refer to the following online resources for more information and useful advice and guidance.
Reports and advisories
- Canada’s threat assessments
- Joint advisories and partner publications
- Joint guidance for executives and leaders of critical infrastructure organizations on protecting against PRC cyber activity
- UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians
- Joint cyber security advisory on PRC state-sponsored cyber threat
- Joint advisory on PRC state-sponsored actors compromising and maintaining persistent access to U.S. critical infrastructure and joint guidance on identifying and mitigating living off the land
- Technical Approaches to Uncovering and Remediating Malicious Activity
Advice and guidance
- Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)
- Security considerations for your website (ITSM.60.005)
- Security considerations for industrial control systems (ITSAP.00.050)
- Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)
- Top 10 IT security action items: No. 2 patch operating systems and applications (ITSM.10.096)