Mandiant CEO claims China has redefined its approach to cyberattacks

Chinese Cyber Espionage Group UNC3886’s Stealthy Attack on Fortinet Firewalls

A stealthy and sophisticated cyber-espionage attack on a defense industry organization in 2022 has been attributed to Chinese hacking group UNC3886, according to Mandiant CEO, Kevin Mandia. The attackers managed to gain administrator privileges in the Fortinet FortiGate firewalls and set up a virtual API endpoint with malware designed specifically for the VMware ESXi hypervisors. In a particularly savvy move, the intruders compromised the so-called EDR (endpoint detection and response) systems, the typical go-to solution for detecting intrusions, by embedding themselves within the virtual hardware of the firewalls. Mandia suggests this is part of a broader trend of hackers turning to targeting firewalls as EDR continues to improve and present a higher barrier to entry.

The attack required the use of a zero-day vulnerability in Fortinet’s FortiOS (CVE-2022-41328), alongside the old-school directory path traversal attack to read and write files on the firewalls via command-line interface instructions. UNC3886 also managed to bypass firewall rules on FortiManager and drop malware on Fortinet’s management platform FortiManager and its log and reporting tool FortiAnalyzer. The Chinese hacking group had a highly selective and stealthy approach to eliminating any trace of their activities, marking a deviation from the traditional modus operandi of Chinese hacking groups.

The Efficacy of Hacking Firewalls

Targeting firewalls is a relatively new trend in the cybersecurity realm. Gaining administrator privileges in firewalls and setting up a virtual API endpoint with custom malware frameworks are part of a new wave of intrusive tactics that aim to evade endpoint detection and response systems. Mandia’s comments seem to suggest that this approach could become more frequent as EDR systems adjust to the raised bar of cybersecurity.

UNC3886’s Takedown of Fortinet Firewalls

UNC3886’s targeted cyber intrusion capabilities put them ahead of the wider hacking game of nation-states, according to Mandia. The group was careful to hide and conceal its activity within the firewalls and virtual hardware. The attackers showed an uncanny ability to delete logs and traces of their activity which marks them as being highly selective and skilled. The UNC3886 campaign is lauded as the “apex attack” of 2022 by Mandia given its sophistication and the extent of measures employed. The Chinese hacking group’s approach seems to reflect a larger trend of more precise and sophisticated attacks by nation-states.

The Use of AI in Cyber Defense

Mandia has also touched upon the utility of AI for the purposes of both cyber defense and attack. Generative AI in particular, used for phishing and social-engineering attacks, could represent a looming threat for cybersecurity organizations. However, from a defense perspective, AI can be a game-changer. The use of generative AI allows cyber-defense teams to accelerate the process of vulnerability discovery in addition to facilitating code development. Mandiant is reportedly working on its own AI-based tool to aid malware analysis, which could give defenders an unprecedented advantage over attackers if successful.

Conclusion

The UNC3886 campaign in 2022, with its quiet, selective, and highly sophisticated approach, highlights the lengths to which nation-states are willing to go in order to conduct cyber espionage and other activities. Its tactics, which included takedown of Fortinet FortiGate firewalls, virtual API endpoint building, and high-level administrator privileges, signal that firewalls could become a prime target of choice for sophisticated cyber threats in the future. Cybersecurity organizations must be aware of these trends in cyber infiltration and take appropriate actions to mitigate the risks.