Since mid-2022, Chinese military-industrial networks have reportedly been the target of sophisticated cyber intrusions attributed to U.S. intelligence agencies. These campaigns exploited previously unknown vulnerabilities to install stealthy malware, maintain prolonged access, and exfiltrate sensitive defense data.
The National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) has identified multiple incidents illustrating a persistent focus on China’s defense manufacturing and research establishments.
Initial Breach at Northwestern Polytechnical University
In July 2022, a significant breach was detected at Northwestern Polytechnical University, a leading institution in aerospace and defense research. The attackers exploited a zero-day vulnerability in Microsoft Exchange servers, compromising the university’s email system and establishing persistence for nearly a year. By leveraging an internal domain controller, the intrusion team performed lateral movement to compromise over fifty core hosts. CNCERT analysts noted that the operators deployed obfuscated payloads, tunneled via WebSocket-wrapped SSH sessions, and routed traffic through relay nodes in Germany and Finland to evade network monitoring.
Second Wave of Attacks on Defense Suppliers
Between July and November 2024, adversaries targeted an electronic file system vulnerability across over 300 devices in a supplier’s production environment. Through compromised Romanian and Dutch IP addresses, they manipulated Tomcat service filters to implant Trojanized upgrade packages. These bespoke Trojans executed keyword searches for secret work and core network, harvesting proprietary architectural diagrams and protocol specifications. CNCERT researchers identified this campaign’s hallmark stealth techniques, including dynamic log wiping and active reconnaissance of defense-specific intrusion detection systems.
Covert Channel and Persistence Tactics
One defining characteristic of the Exchange-based intrusions is the custom WebSocket over SSH covert channel. After initial foothold, operators executed a user-space SSH daemon disguised as a messaging service. The daemon listens on port 80 for WebSocket handshake requests. Once established, encrypted payloads traverse this tunnel, enabling bidirectional command and control without triggering typical SSH or HTTPS alerts. By obfuscating SSH within standard WebSocket frames, the attackers maintained covert, long-term access to mission-critical networks without detection.
Implications and Responses
These cyberattacks underscore the critical importance of supply-chain security. Authorities have emphasized the risks of reliance on foreign-sourced hardware and software components that may carry pre-installed backdoors. The incidents have prompted calls for enhanced cybersecurity measures and international cooperation to prevent such intrusions in the future.
