Security researchers uncovered a massive cyber-espionage campaign carried out by the Winnti APT (advanced persistent threat) group believed to have ties to the Chinese government.
The campaign, dubbed “Operation CuckooBees” by Cybereason researchers, has been running for several years, since at least 2019. The goal of the operation was to steal trade secrets and valuable data from the victims. The researchers estimate that the threat actor has managed to siphon hundreds of gigabytes of information, including intellectual property developed by the victims, such as sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.
Winnti (aka APT 41, Darium, and Blackfly) also collected info, which could be used in future attacks like details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data.
The infection chain involves the exploitation of known and zero-day vulnerabilities in ERP platforms used by the targets to deploy a web shell with the goal of conducting reconnaissance, lateral movement, and data exfiltration activities.
“The complex infection chain that led to the deployment of the WINNKIT rootkit composed of multiple interdependent components. The attackers implemented a delicate “house of cards” approach, meaning that each component depends on the others to function properly, making it very difficult to analyze each component separately,” Cybereason said.
The researchers also found a previously undocumented malware they dubbed “Deploylog,” as well as new versions of known Winnti malware including Spyder Loader, PRIVATELOG, and WINNKIT.
The attackers were observed leveraging the Windows CLFS mechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade detection by security solutions.
“Cyber espionage doesn’t usually generate the same degree of panic or media attention as other cyberattacks, but the lack of attention doesn’t make it any less dangerous. A malicious campaign that silently steals intellectual property for years is exceptionally costly and may have repercussions for years to come,” the researchers noted.