A suspected Chinese threat actor targeted a major US organization earlier this year as part of a four-month intrusion.
According to Broadcom-owned Symantec, the first evidence of malicious activity was discovered on April 11, 2024, and continued through August. However, the company does not rule out that the invasion could have happened earlier.
“The attackers moved across the organization’s network, compromising multiple computers,” the Symantec Threat Hunter team said in a report shared with The Hacker News.
“Some of the targeted machines were Exchange servers, suggesting that the attackers were gathering intelligence by harvesting email. Extortion tools were also deployed, suggesting that the target data was taken from the organizations.”
The name of the organization affected by the ongoing campaign of attacks has not been released, but the victim is said to have a significant presence in China.
Links to China as a potential perpetrator stem from the use of DLL sideloading, a preferred tactic among various Chinese threat groups, and the presence of artifacts previously identified as being used in connection with a state-sponsored codenamed operation. Raspberry Palace.
Another interesting point is that in 2023, the organization was attacked by an attacker believed to have ties to another Chinese hacking group called Daggerswhich is also called Bronze Highland, Elusive Panda and Storm Bamboo.
In addition to using DLL sideloading to execute malicious payloads, the attack involves the use of open source tools such as FileZilla, Impacket and PSCP, as well as the use of LotL (Living-off-the-land) programs such as Windows Management Instrumentation (WMI). , PsExec and PowerShell.
The exact initial access mechanism used to breach the network remains unknown at this stage. However, Symantec’s analysis found that the machine with the earliest indicators of a breach included a command executed via WMI from another system on the network.
“The fact that the command came from another machine on the network suggests that the attackers had already compromised at least one other machine on the organization’s network and that the intrusion could have started before April 11,” the company said.
Some of the other malicious activities the attackers subsequently performed ranged from stealing credentials and executing malicious DLLs to targeting Microsoft Exchange servers and download tools such as FileZilla, PSCP, and WinRAR.
“One group of particular interest to attackers is ‘Exchange Servers,’ suggesting that attackers were attempting to target mail servers to collect and potentially steal email data,” Symantec said.
The development comes after Orange Cyberdefense detailed the private and public relationship within China’s Cyber Attack Ecosystemas well as emphasizing the role played by universities for security research and hired contractors to carry out attacks led by government organizations.
“In many cases, individuals associated with units of the (Ministry of State Security) or (People’s Liberation Army) register fake companies to hide the attribution of their companies to the Chinese state,” it said. said.
“These bogus businesses, with no real profitable business, can help build the digital infrastructure needed to carry out cyber attacks without attracting unwanted attention. They also serve as fronts for recruiting personnel for roles that support hacking operations.”
