CNCERT Accuses U.S. Intelligence of Cyberattacks on Chinese Military-Industrial Targets

China’s National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT) has publicly accused U.S. intelligence agencies of orchestrating sophisticated cyberattacks against key military-industrial entities, building on the 2022 NSA breach at Northwestern Polytechnical University.

The revelations detail two emblematic incidents that underscore the persistent targeting of China’s defense sector through advanced persistent threats (APTs).

The first case, spanning from July 2022 to July 2023, involved the exploitation of a previously undisclosed zero-day vulnerability in Microsoft Exchange’s email infrastructure.

Microsoft Exchange Zero-Day Exploit

Attackers infiltrated the email server of a major military-industrial enterprise, establishing persistent control for nearly 11 months.

This initial breach facilitated lateral movement within the intranet, leveraging the domain controller as a pivot to compromise over 50 core devices.

To maintain stealth, the perpetrators deployed websocket-based and SSH tunneling mechanisms, constructing multi-layered encrypted channels for exfiltrating sensitive data.

The operation zeroed in on high-value targets, including the email accounts of 11 senior executives, from which they extracted critical assets such as military product design blueprints and system parameter specifications.

Technically, the attack toolkit employed code obfuscation techniques to bypass endpoint detection and response (EDR) systems, with command-and-control (C2) traffic routed through intermediary jump points in nations like Germany and Finland, ensuring no overt malicious signatures were detectable throughout the intrusion lifecycle.

Supply Chain Compromise

The second incident, occurring between July and November 2024, highlighted vulnerabilities in supply chain ecosystems, where attackers exploited unauthorized access flaws in an electronic file management system to implant memory-resident backdoors and manipulate Tomcat servlet filters for enduring persistence.

Utilizing springboard IP addresses in Romania and the Netherlands, the intruders masqueraded a malicious payload as a legitimate system upgrade package, disseminating targeted Trojans across the intranet.

This allowed precise control over more than 300 devices, with keyword-based filtering mechanisms honing in on terms like “military network” and “core network” to identify and harvest strategic intelligence.

The data exfiltration focused on high-stakes materials, including communication protocol specifications and satellite Internet architecture diagrams, indicative of state-sponsored espionage aimed at undermining national security assets.

To evade forensic analysis, the attackers implemented log sanitization routines and real-time monitoring of defensive postures, dynamically adapting to obscure their origins and maintain operational secrecy.

These tactics reflect hallmarks of professional intelligence operations, prioritizing long-term access over immediate disruption.

According to the report, CNCERT’s disclosures come amid heightened scrutiny of global supply chain risks, particularly following a recent dialogue between China’s Cyberspace Administration and Nvidia, where demands were made for evidentiary documentation regarding alleged backdoors in the H20 chip series.

This incident reinforces the imperative for localization in critical technologies, as reliance on foreign vendors has repeatedly exposed entities to external manipulation and control, much like the vulnerabilities exploited in these cases.

By prioritizing indigenous development, China aims to fortify its cyber defenses against such incursions, reducing dependencies that could be weaponized by adversaries.

These events not only highlight the technical sophistication of U.S.-linked APT groups but also signal a broader geopolitical contest in cyberspace, where military-industrial secrets remain prime targets for intelligence dominance.

As of the latest reports, investigations continue, with calls for international accountability to curb such aggressive cyber activities.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!