Threat Signal Report

Multiple Agency Threat Alert Issued for Chinese Ministry of State Security Threat Actor Activity


On September 14th, the United States Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigation (FBI), released a joint Technical Alert that has attributed malicious cyber activity to the Chinese government; specifically the Chinese Ministry of State Security (MSS).

The Technical Alert provides in depth analysis of Chinese government activity that has been targeting United States governmental interests using open source exploitation tools and known vulnerabilities. In addition to these attacks, other verticals (including other countries) were observed being targeted, as well. According to the report, these verticals included high-tech manufacturing, medical devices, civil and industrial engineering, business, educational, gaming software, solar energy, pharmaceuticals, and defense sectors in a campaign that lasted for over ten years.

What Other Information was Provided in this Report?

The Technical Alert provided further insight into the TTPs (tactics, techniques and procedures) of Chinese MSS activity, especially reconnaissance efforts used on the targeted organizations. The tactics outlined by this report include determining the attack vector, gathering information about the targets via OSINT (open source intelligence) and the scanning of networks to potentially reveal vulnerabilities and weaknesses to exploit.

According to the report, specific vulnerabilities targeted by Chinese MSS threat actors during the past 12 months were:

CVE-2020-5902: F5 Big-IP Vulnerability

CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances

CVE-2019-11510: Pulse Secure VPN Servers

CVE-2020-0688: Microsoft Exchange Server

Open source penetration testing tools observed used by Chinese MSS threat actors were:

Cobalt Strike


Custom in house tools attributed to MSS used were:

China Chopper Web Shell

What is the Severity of Impact?

The severity should be regarded as MEDIUM, due to the fact that these campaigns have been observed in limited, targeted attacks.

Any Other Suggested Mitigation and/or Workarounds?

All vendors of affected software mentioned in this advisory have provided patches for known vulnerabilities. If it is deemed that patching is not feasible at this time, it is recommended that a risk assessment be conducted to determine additional mitigation safeguards within an environment. Organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. For additional guidance, please refer to the APPENDIX section which contains links to specific vendor suggestions and mitigation.

What is the status of AV/IPS and Web Filtering coverage?

FortiGuard Labs has coverage in place for the vulnerabilities and exploitation tools mentioned in this technical alert. As this report does not contain specific information such as hashes, this is a general list of signatures for the families of exploitation tools and vulnerabilities listed in the report.

Customers running the latest definition sets are protected by the following (AV) signatures:











Customers running the latest definition sets are protected by the following (IPS) signatures:













Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.