NSA warns contractors on China hacks

china technology 

The National Security Agency released details on 25 existing vulnerabilities that Chinese state-sponsored threat groups are using to try to penetrate defense industrial base networks.

NSA's advisory, issued Oct. 20, details 25 known and patchable bugs that are "known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks."

These common vulnerabilities and exposures are used by hackers to get a foothold on targeted networks and conduct reconnaissance about network defenses. The CVEs cover a variety of systems, including email and application servers as well as domain controllers, but the common thread is that they involve tools that manage connections between networks and the open internet.

Most of the CVEs were identified in the last two years, but a few date back longer than that, and patches and other mitigation strategies already exist that address all of them. What's new here is that NSA is identifying Chinese state-sponsored groups as actively leveraging these weaknesses to target information networks belonging to the defense industrial base, the Department of Defense and other national security systems.

"We hear loud and clear that it can be hard to prioritize patching and mitigation efforts. We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems," NSA Cybersecurity Director Anne Neuberger said in a statement.

The threat of Chinese intrusion into defense industrial base networks is nothing new. In its 2020 report to Congress on China's growing military power, released last month, DOD stated that China "uses its cyber capabilities to not only support intelligence collection against U.S. diplomatic, economic, academic, and defense industrial base sectors, but also to exfiltrate sensitive information from the defense industrial base to gain military advantage."

The report noted that "targeted information could enable [People's Liberation Army] cyber forces to build an operational picture of U.S. defense networks, military disposition, logistics and related military capabilities that could be exploited prior to or during a crisis…. In in aggregate, these cyber-enabled campaigns threaten to erode U.S. military advantages and imperil the infrastructure and prosperity on which those advantages rely."

Currently DOD is in the midst of an effort to force contractors to get their cybersecurity hygiene in order. The Cybersecurity Maturity Model Certification program requires compliance with National Institute of Standards and Technology guidelines for safeguarding government information in non-governmental systems. These guidelines include staying on top of patching and monitoring audit logs for malicious code and the remote execution of privileged functions by unauthorized users.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected