DOD, FBI, DHS release info on malware used in Chinese government-led hacking campaigns
The U.S. government publicly put forth information Monday that exposed malware used in Chinese government hacking efforts for more than a decade.
The Chinese government has been using malware, referred to as Taidoor, to target government agencies, entities in the private sector, and think tanks since 2008, according to a joint announcement from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Department of Defense, and the FBI. The Chinese Communist Party has been using the malware, in conjunction with proxy servers, “to maintain a presence on victim networks and to further network exploitation,” according to the U.S. government’s malware analysis report (MAR).
In particular, Taidoor has been used to target government and private sector organizations that have a focus on Taiwan, according to previous FireEye analysis. It is typically distributed to victims through spearphishing emails that contain malicious attachments.
U.S. Cyber Command, the DOD’s offensive cyber unit, has also shared samples of Taidoor through malware-sharing platform VirusTotal so information security professionals can further examine it.
Cyber Command has been uploading malware samples to VirusTotal since 2018 in an effort to help the private sector better protect against foreign adversaries, as well as to deter adversaries from running hacking campaigns. But it appeared to be the first time in the program’s approximately two-year history that the Pentagon has chosen to identify malware that looks to be Chinese in origin. The DOD has frequently exposed North Korean hacking through VirusTotal uploads, as well as campaigns linked with Russian and Iranian hacking.
It wasn’t immediately clear if Taidoor was being used in any recent or ongoing espionage campaigns from China. But of the four malware samples Cyber Command shared on VirusTotal, only two are detected by any engines. Even in the cases where the private sector does have protections related to Taidoor campaigns, the protections aren’t widespread — only FireEye and BitDefender protect against some parts of the Taidoor upload.
A CISA official told CyberScoop the announcement was made to enhance defenses against Chinese hacking.
“CISA, FBI, and DOD are publishing this malware analysis report about the Taidoor variant to enable network defense and reduce exposure to Chinese government malicious cyber activity,” the CISA official told CyberScoop.
Monday’s announcement comes amid escalating tension between China and Taiwan. In recent months, Chinese fighter jets have reportedly entered Taiwan’s air space on multiple occasions. Additionally, China said in May it would “resolutely smash” any efforts by Taiwan to declare independence.
China’s ruling party — the Communist Party of China — has taken aggressive action against perceived threats in recent years. It has been simultaneously sending Uighur Muslims to detention camps and targeting them with mobile hacking tools, instituting a sweeping national security law aimed at quelling protests and other perceived dissent in Hong Kong, and clashing with India in an escalation of a long-standing border dispute.
China’s interest in Taiwan has gained renewed attention on Capitol Hill. Rep. Ted Yoho, R-Fla., introduced a bill last week that would allow the president to use military force against China if it were to attack Taiwan. The bill calls for China to back off threats and uses of military force in Taiwan, and urges Taiwan to work with the U.S. on cyber defense activities and “strengthening Taiwan’s cyber capabilities.”
“The U.S. policy of strategic ambiguity towards Taiwan, initially implemented to avoid provoking Beijing to attack Taiwan and encourage peaceful relations, has clearly failed,” Yoho, the ranking member for the House Foreign Affairs Subcommittee on Asia, said in a statement. “The PLA’s dramatic military buildup and increased provocations in the Taiwan Strait, along with blatant threats from the CCP, make their intentions toward Taiwan abundantly clear. The United States must act immediately to establish a clear red line over Taiwan that must not be crossed by China.”
In a phone interview Monday, Yoho told CyberScoop he would like to see both Taiwan’s defensive and offensive cyber capabilities enhanced, adding he thinks the action DOD, FBI, and DHS took today to call out Chinese malware is “the beginning of a deterrent.”
“I think it’s calling them out — which they don’t like: public shame. But I think it’s the beginning of a deterrent,” Yoho told CyberScoop. “I think it’s important that anytime we find an infraction on what they do — whether its on human rights, trade secrets, espionage … they need to be called out.”
The Chinese embassy in the U.S. did not immediately return request for comment.