Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help Locally
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
  2. Topics
  3. Cyber Threats and Advisories
  4. Advanced Persistent Threats
Share:
Generic coding language design with red background

China Cyber Threat Overview and Advisories

China

The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment makes clear the cyber threat posed by the People’s Republic of China (PRC): “China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks. China’s cyber pursuits and its industry’s export of related technologies increase the threats of aggressive cyber operations against the U.S. homeland. . . China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems."

In this context, every organization must take urgent action to understand and address known tactics, techniques, and procedures (TTPs) used by PRC cyber actors – including efforts to detect and prevent intrusions and respond to and recover from incidents, particularly by investing in the operational resilience of essential services. CISA and our partners in the U.S. government and around the world provide timely and actionable information about the PRC cyber threat to help organizations prioritize the most effective cybersecurity measures. As a starting point, organizations should:

  • Review the Joint Cybersecurity Advisory on People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. This Advisory focuses on a tactic called Living off the land, or LOTL, a set of techniques used by cyber actors to maintain anonymity within IT infrastructures by abusing tools already present in the environment such as PowerShell, Windows Management Instrumentation (WMI), and file transfer protocol (FTP) clients. By using such native tools, this fileless attack makes it easier for cyber actors to sustain and advance attacks and evade detection from security teams. LOTL has been growing in use over the years by state-sponsored threat actors, cyber criminals, and penetration testing teams. In particular, CISA recommends that every organization take the following steps to reduce the risk of adversaries using LOTL techniques:
    • Establish a security baseline of normal host behavior and user activity to detect anomalous activity on endpoints.
    • Isolate privileged administrator actions and locations to a manageable subset of locations, where effective baselines of “where” and “who” can be established.
    • Prioritize logging (e.g., command-line interface "CLI") and close and/or monitor high-risk ports (e.g., Remote Desktop Protocol, Server Message Block, File Transfer Protocol, Trivial File Transfer Protocol, Secure Shell, and Web Distributed Authoring and Versioning). 
  • Prioritize mitigation of Known Exploited Vulnerabilities, including those outlined in our joint advisory on the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by PRC cyber actors. 
  • Urgently report potential malicious activity to CISA or the FBI:
    • The easiest way is to go to CISA.gov and click the “report a cyber issue” button right up top.  
    • You can also contact CISA’s 24/7 Operations Center: cisa.gov/report | report@cisa.gov | 888-282-0870
    • Contact your local FBI field office or IC3.gov.
  • Sign up to receive CISA’s cybersecurity alerts and advisories for timely notification of emerging campaigns and incidents. Review earlier advisories on PRC cyber threats outlined below. CISA particularly recommends reviewing the following advisories:
    • People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices for guidance on protecting against Chinese malicious activity affecting critical networks. 
    • Technical Approaches to Uncovering and Remediating Malicious Activity, which outlines steps to help organizations identify intrusions across their enterprise.
  • Sign up for CISA’s free Vulnerability Scanning service to receive early warning when a vulnerability known to be exploited by PRC cyber actors or other malicious groups are identified on Internet-facing assets. 
  • Establish a relationship with a regional CISA Cybersecurity Advisor to access additional services, assessments, and guidance. 

CISA and Joint CISA Publications

Publication Date

Title

Description
May 24, 2023

Joint Cybersecurity Advisory: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

This Advisory focuses on a tactic called Living off the land, or LOTL, a set of techniques used by cyber actors to maintain anonymity within IT infrastructures by abusing tools already present in the environment. 

For more information, see:

  • CISA: U.S. and International Partners Release Advisory Warning of PRC State-Sponsored Cyber Activity
  • Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques 
October 6, 2022

Joint Cybersecurity Advisory: Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors

CISA, NSA, and FBI released an advisory to provide the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC).
June 7, 2022

Joint Cybersecurity Advisory: People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices

CISA, NSA, and FBI released an advisory describing the ways in which PRC state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. 
August 20, 2021

Joint Cybersecurity Advisory: Chinese Observed TTPs

CISA, NSA, and FBI released an advisory describing Chinese cyber threat behavior and trends and provides mitigations to help protect the Federal Government; state, local, tribal, and territorial governments; critical infrastructure, defense industrial base, and private industry organizations.
July 21, 2021

Joint Cybersecurity Advisory: Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013

CISA and FBI released an advisory providing information on a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas (ONG) pipeline companies.
July 20, 2021

Joint Cybersecurity Advisory: TTPs of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department 

CISA and FBI released an advisory to help network defenders identify and remediate APT40 intrusions and established footholds. See the July 19, 2021, Department of Justice press release.
July 19, 2021

Joint CISA Insights: Chinese Cyber Threat Overview for Leaders 

CISA, NSA, and FBI released a joint CISA Insights to help leaders understand this threat and how to reduce their organization's risk of falling victim to cyber espionage and data theft.
March 03, 2021

CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities

CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange Server products. This Alert includes tactics, techniques, and procedures and indicators of compromise associated with this activity. See the July 19, 2021 White House Statement.
October 1, 2020

CISA Alert: Potential for China Cyber Response to Heightened U.S.-China Tensions

In light of heightened tensions between the United States and China, CISA released an Alert providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs). The Alert also includes recommended mitigations to the cybersecurity community to assist in the protection of our Nation’s critical infrastructure.
September 14, 2020

Joint Cybersecurity Advisory: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

CISA has consistently observed Chinese Ministry of State (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known TTPs to target U.S. government agencies. This advisory identifies some of the more common TTPs employed by cyber threat actors, including those affiliated with the Chinese MSS.
August 3, 2020

MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR

CISA, FBI, and DoD released a MAR describing Chinese government actors using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.
May 13, 2020

CISA and FBI Joint Public Service Announcement: People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations

CISA and FBI issued a Public Service Announcement warning healthcare, pharmaceutical, and research sectors working on the COVID-19 response of likely targeting and attempted network compromise by the PRC.
February 2019

CISA Webinar: Chinese Cyber Activity Targeting Managed Service Providers

CISA Webinar Slide Deck: Chinese Cyber Activity Targeting Managed Service Providers

CISA provided a Webinar on Chinese state-sponsored cyber actors targeting managed service providers (MSPs) and their customers. This campaign is referred to as CLOUD HOPPER.

October 3, 2018

CISA Alert: Advanced Persistent Threat Activity Exploiting Managed Service Providers

CISA Alert: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation

These Alerts address the CLOUD HOPPER Campaign. Since May 2016, APT actors have used various TTPs to attempt to infiltrate the networks of global MSPs for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
April 27, 2017

CISA Alert: Intrusions Affecting Multiple Victims Across Multiple Sectors

This Alert provides information on a campaign in which Chinese government cyber threat actors exploited trust relationships between IT service providers—such as MSPs and cloud service providers—and their customers. Chinese cyber actors associated with the Chinese MSS carried out a campaign of cyber-enabled theft targeting global technology service providers and their customers. The actors gained access to multiple U.S. and global IT service providers and their customers in an effort to steal the intellectual property and sensitive data of companies located in at least 12 countries.
Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback