Researchers Uncover 4-Month Cyberattack on U.S. Firm Linked to Chinese Hackers
Summary:
According to Symantec, they found evidence that a large US organization with a quote-unquote significant presence in China was targeted by China-nexus threat actors earlier this year and was subjected to a four-month-long intrusion where persistence was established on the organization’s network seemingly for intelligence gathering purposes. They attributed the intrusion to a China-based threat actor based on the DLL sideloading tactic and some of the tools used in this attack. Some of the machines targeted in the intrusion were Microsoft Exchange Servers so it's likely the attackers were at the very least harvesting emails. The specific name of the organization that was impacted by the persistent attack campaign was not disclosed. Another point of interest is that the organization was targeted in 2023 by an attacker with tentative links to another China-based hacking crew called Daggerfly. The attacks leverage living-off-the-land techniques and abuse open-source tools. That said, Symantec's analysis has found that the machine on which the earliest indicators of compromise were detected included a command that was run via WMI from another system on the network, indicative of lateral movement techniques. Malicious activities that were subsequently performed by the attackers ranged from credential theft and executing malicious DLL files to targeting Microsoft Exchange servers and downloading tools such as FileZilla, PSCP, and WinRAR.
Analyst Comments:
According to Symantec, "The fact that the command originated from another machine on the network suggests that the attackers had already compromised at least one other machine on the organization's network and that the intrusion may have begun prior to April 11.” The development comes as Orange Cyberdefense detailed the private and public relationships within the Chinese cyber offensive ecosystem, while also highlighting the role played by universities for security research and hack-for-hire contractors for conducting attacks under the direction of state entities. Extended nation-state sponsored cyber intrusions like this are concerning for defenders as more updates regarding the US telecom breaches conducted by China-sponsored threat actors were released by the White House in a press call yesterday. The adversary’s abuse of the Windows Management Instrumentation (WMI) framework to execute commands using a tool that leverages Python’s Impacket library highlights the sophistication of this attack.
Suggested Corrections:
IOCs are available here.
Organizations can make APT groups’ lives more difficult. Here’s how:
https://thehackernews.com/2024/12/researchers-uncover-4-month-cyberattack.html
https://www.security.com/threat-intelligence/us-china-espionage
According to Symantec, they found evidence that a large US organization with a quote-unquote significant presence in China was targeted by China-nexus threat actors earlier this year and was subjected to a four-month-long intrusion where persistence was established on the organization’s network seemingly for intelligence gathering purposes. They attributed the intrusion to a China-based threat actor based on the DLL sideloading tactic and some of the tools used in this attack. Some of the machines targeted in the intrusion were Microsoft Exchange Servers so it's likely the attackers were at the very least harvesting emails. The specific name of the organization that was impacted by the persistent attack campaign was not disclosed. Another point of interest is that the organization was targeted in 2023 by an attacker with tentative links to another China-based hacking crew called Daggerfly. The attacks leverage living-off-the-land techniques and abuse open-source tools. That said, Symantec's analysis has found that the machine on which the earliest indicators of compromise were detected included a command that was run via WMI from another system on the network, indicative of lateral movement techniques. Malicious activities that were subsequently performed by the attackers ranged from credential theft and executing malicious DLL files to targeting Microsoft Exchange servers and downloading tools such as FileZilla, PSCP, and WinRAR.
Analyst Comments:
According to Symantec, "The fact that the command originated from another machine on the network suggests that the attackers had already compromised at least one other machine on the organization's network and that the intrusion may have begun prior to April 11.” The development comes as Orange Cyberdefense detailed the private and public relationships within the Chinese cyber offensive ecosystem, while also highlighting the role played by universities for security research and hack-for-hire contractors for conducting attacks under the direction of state entities. Extended nation-state sponsored cyber intrusions like this are concerning for defenders as more updates regarding the US telecom breaches conducted by China-sponsored threat actors were released by the White House in a press call yesterday. The adversary’s abuse of the Windows Management Instrumentation (WMI) framework to execute commands using a tool that leverages Python’s Impacket library highlights the sophistication of this attack.
Suggested Corrections:
IOCs are available here.
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2024/12/researchers-uncover-4-month-cyberattack.html
https://www.security.com/threat-intelligence/us-china-espionage