Chinese Malicious Cyber Activity

The information contained on this page is the result of analytic efforts of the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to provide technical details on the tactics, techniques, and procedures used by Chinese government cyber threat actors. These threat actors are actively exploiting trust relationships between information technology (IT) service providers—such as managed service providers and cloud service providers—and their customers. The intent of sharing this information is to enable network defenders to identify and reduce exposure to Chinese malicious cyber activity. However, mitigation for this activity can be complex and there is no single solution that will fully alleviate all aspects of the threat actor activity.

At this time, all known victims of this activity have been notified by CISA and/or the Federal Bureau of Investigation (FBI). However, because there may be additional victims not yet identified, CISA recommends all IT service providers and their customers follow the recommendations, tools, and actions described in this page and in Alerts TA17-117A and TA18-276A, referenced below. Organizations and individuals that determine their risk to be elevated—either because they are in one of the targeted sectors, or because unusual activity is detected—should conduct a dedicated investigation to identify if any of this malicious activity is in their networks.

For more information on Chinese malicious cyber activity, see:

Guidance for IT Service Provider Customers

Guidance for IT Service Providers

  • Providers should fully implement the mitigation actions available on the APTs Targeting IT Service Provider Customers site page to protect against this malicious activity.
  • Providers should implement the following specific actions:
    • Apply the principle of least privilege to their environment, which means customer data sets are separated logically, and access to client networks is not shared;
    • Implement robust network and host-based monitoring solutions that looks for known malicious activity and anomalous behavior on the infrastructure and systems providing client services;
    • Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse; and
    • Work with their customers to ensure hosted infrastructure is monitored and maintained, either by the service provider or the client.
  • Providers may consult the following private industry report:
    • Operation Cloud Hopper - CISA does not endorse any commercial products or services identified in this report. Any hyperlinked websites do not constitute endorsement by CISA of the website or the information, products, or services contained therein.

Additional DHS Partner Resources