As the key coordination team for China's cyber security emergency response community, CNCERT has actively engaged in cooperation with CERTs worldwide in handling cross-border cyber security incidents, contributing to the safeguarding of the global cyber environment.

Up until now, CNCERT has established "international cooperation partnership" with 274 organizations in 81 countries and regions, and signed cooperation memoranda with 33 of them. In the first half of 2022, more than ten thousand cross-border cyber security incidents were collaboratively scanning, malware and vulnerabilities, among which a number of typical cases stand handled including phishing, denial of service attacks, malicious scanning, malware, and vulnerabilities, among which a number of typical cases stand out.

Coordination in handling webpage defacement by the hacker group "Anonymous"

In December 2021, CNCERT found that the webpage of an international organization was defaced by the hacker group "Anonymous", and relevant evidence was posted on the reddit forum. CNCERT immediately contacted that organization, and this incident was properly handled in the same day, with further impact and loss being prevented.

In November 2021, CNCERT found that a webpage was defaced by the hacker group "Anonymous". CNCERT immediately contacted its national CERT, and this incident was properly handled in the same day with further impact and loss being prevented.

Coordination with companies in quickly dealing with phishing and domain name inaccessibility of Chinese banks

In October 2021, a Chinese bank received incident report that its website was under phishing attack and the counterfeit website ranked first on Google search. CNCERT immediately contacted Google and this incident was handled immediately with misjudgment and misunderstanding being eliminated.

In December 2019, CNCERT received a complaint from a Chinese bank that some of its domain names could not be accessed on computers, mobile phones and other terminals through browser. CNCERT immediately contacted that browser company and the affected domain name was urgently restored that night. Under the active coordination of CNCERT, the company has also added a whitelist mechanism for the domain names of 12 Chinese banks to ensure that similar problems do not occur again with misjudgment and misunderstanding being eliminated.

Effective and collaborative handling of cross-border cybersecurity incidents related to COVID-19

In January 2020, CNCERT found that an email address was used to send phishing emails and the URL links under the same domain name provided downloads of malicious documents, imitating a website to collect personal information. CNCERT contacted the registrar of the domain name of that email address and its national CERT, and the domain name registrar suspended the domain name on the same day, making it inaccessible and unusable. In February, CNCERT found a large number of continuous reflection attacks related to COVID-19, involving more than 500 reflection server IPs located in many countries. CNCERT contacted CERT organizations in these countries and asked them to assist in the handling, and they responded and coordinated positively, with further impact and loss being prevented.

Cross-border cooperation in handling reflective DDoS attacks using memcached servers

In January 2019, CNCERT received a complaint from a Chinese Internet company that one of its domain names has been under DDoS attacks once every 30 minutes in large traffic (50Gbps) since December 2018. The corresponding business was affected and the attack type was mainly memcache reflection. Hackers sent request data to open memcache reflection sources on the Internet by forging their IP addresses. These memcache reflection sources replied with a large amount of response data to their IP addresses which exceeded the entrance bandwidth of their computer room and caused bandwidth congestion. Since the large-scale outbreak of memcache attacks in February 2019, targeted governance has been carried out around the world, reducing the number of reflected sources a very low level. But there are still many missing ones. CNCERT verified and sorted out the reflection source IP of 22 countries and regions, and coordinated with related CERTs, Chinese operators, and cloud service providers for disposal. In March 2018, the "Advisory on the Reflective DDoS Attacks Using Memcached Servers" was released, and suggestions for disposal were proposed.