The Canadian Centre for Cyber Security (Cyber Centre) warns of escalating cyber operations by the People’s Republic of China (PRC) targeting Canadians and entities across multiple sectors. This includes government bodies, critical infrastructure, industry, and the research and development sector. The Cyber Centre advises Canadians to remain vigilant and protect themselves against these cyber threats, emphasizing the need for heightened awareness and proactive security measures.
“PRC cyber threat actors often serve direct or indirect requirements of the PRC intelligence services. Their targets frequently reflect the national policy objectives of the PRC,” the Cyber Centre said in its guidance on Monday. “These cyber threat actors routinely seek information that will provide an economic and diplomatic advantage in the PRC-Canada bilateral relationship, as well as information related to technologies prioritized in the PRC’s central planning.”
Additionally, networks of Government of Canada agencies and departments have been compromised by PRC cyber threat actors multiple times over the past few years. All known compromises have been addressed. “The Cyber Centre observes near constant reconnaissance activity by the PRC against Government of Canada systems. However, federal government networks are not the only networks that are used to store and communicate information that could provide valuable intelligence to the PRC. In particular, all levels of government in Canada should be aware of the espionage threat posed by PRC cyber threat actors,” it added.
The agency also identified that PRC cyber threat actors frequently aim to collect large datasets containing personal information, likely for bulk data analysis and target profiling.
The Canadian Cyber Centre disclosed the concerns made by U.S. partners about PRC cyber threat groups prepositioning network access for potential computer network attacks against North American critical infrastructure in the event of a conflict in the Indo-Pacific. “Computer network attacks designed to damage, disrupt or destroy critical infrastructure networks and IT systems during heightened geopolitical tensions, military conflicts or both would cause societal panic and delay the deployment of the U.S. military,” it added.
Energy, telecommunications, and transportation are the sectors of greatest concern. However, critical infrastructure owners and operators should be aware of the potential for computer network attacks against their organizations in the event of potential geopolitical tensions or military conflicts.
“This is not just a concern for American owners and operators,” according to the guidance. “The Cyber Centre assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well due to interoperability and interdependence in the sectors of greatest concern.”
The Cyber Centre also identified that it is difficult to generalize its technical concerns due to the scale and diversity of PRC cyber threat actors. That said, observations drawn from prior advisories and statements reflect some of the agency’s most serious concerns. These should be considered when defending against and mitigating PRC cyber threat activity, as these hackers frequently co-opt compromised small office and home office (SOHO) routers to conduct cyber threat activity and avoid detection.
Also, PRC cyber threat actors frequently ‘live off the land’ using a system’s built-in network administration tools rather than specialized malware to conduct malicious activity. This technique helps cyber threat actors blend into normal system traffic and avoid detection by network defenders. The activity demonstrates a degree of sophistication and agility and shows that PRC cyber threat actors are not limited to a particular technique.
PRC cyber threat actors frequently attempt to compromise trusted service providers, such as telecommunications, managed service providers, and cloud service providers, to access client information or networks, the guidance identified. PRC cyber threat actors rapidly weaponize and proliferate exploits for newly revealed vulnerabilities. This suggests an ongoing risk of indiscriminate exploitation of vulnerable systems. It is therefore essential that system owners apply all critical security updates as quickly as possible.
The Cyber Centre urges provincial, territorial, and municipal governments as well as critical infrastructure network defenders to be prepared to isolate critical infrastructure components and services from the Internet and corporate or internal networks, should they be considered attractive to a hostile threat actor to disrupt. When using industrial control systems or operational technology, test manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
The agency also called for increased organizational vigilance and to monitor networks with a focus on the tactics, techniques and procedures (TTPs) reported by the Cyber Centre and its partners. They must also ensure that cybersecurity and IT personnel are focused on identifying and assessing any unexpected or unusual network behavior, and enable logging to investigate issues or events better.
Additionally, the guidance calls for restricting intruders’ ability to move freely around systems and networks. They must pay particular attention to potentially vulnerable entry points such as third-party systems with onward access to the core network. During an incident, disable remote access from third-party systems until they are clean.
Organizations must also focus on enhancing their security posture, patching systems with a focus on the vulnerabilities outlined in the Cybersecurity and Infrastructure Security Agency’s advisory on PRC state-sponsored actors compromising and maintaining persistent access to U.S. critical Infrastructure and enabling logging around backup.
Furthermore, they must deploy network and endpoint monitoring (such as anti-virus software), and implement multi-factor authentication where appropriate. They must also create and test offline backups, have a cyber incident response plan, as well as continuity of operations and communications plans, and be prepared to use them.