5 May 2022

China-linked hackers caught stealing intellectual property from companies in North America, Europe, and Asia


China-linked hackers caught stealing intellectual property from companies in North America, Europe, and Asia

Security researchers uncovered a massive cyber-espionage campaign carried out by the Winnti APT (advanced persistent threat) group believed to have ties to the Chinese government.

The campaign, dubbed “Operation CuckooBees” by Cybereason researchers, has been running for several years, since at least 2019. The goal of the operation was to steal trade secrets and valuable data from the victims. The researchers estimate that the threat actor has managed to siphon hundreds of gigabytes of information, including intellectual property developed by the victims, such as sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.

Winnti (aka APT 41, Darium, and Blackfly) also collected info, which could be used in future attacks like details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data.

The infection chain involves the exploitation of known and zero-day vulnerabilities in ERP platforms used by the targets to deploy a web shell with the goal of conducting reconnaissance, lateral movement, and data exfiltration activities.

“The complex infection chain that led to the deployment of the WINNKIT rootkit composed of multiple interdependent components. The attackers implemented a delicate “house of cards” approach, meaning that each component depends on the others to function properly, making it very difficult to analyze each component separately,” Cybereason said.

The researchers also found a previously undocumented malware they dubbed “Deploylog,” as well as new versions of known Winnti malware including Spyder Loader, PRIVATELOG, and WINNKIT.

The attackers were observed leveraging the Windows CLFS mechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade detection by security solutions.

“Cyber espionage doesn’t usually generate the same degree of panic or media attention as other cyberattacks, but the lack of attention doesn’t make it any less dangerous. A malicious campaign that silently steals intellectual property for years is exceptionally costly and may have repercussions for years to come,” the researchers noted.


Back to the list

Latest Posts

Interpol arrests suspected leader of Nigerian cybercrime gang involved in BEC attacks

Interpol arrests suspected leader of Nigerian cybercrime gang involved in BEC attacks

The suspect registered 240 domains, 50 of which were used as command-and-control domains for the ISRStealer, Pony, and LokiBot malware.
26 May 2022
US automaker General Motors hit with credential stuffing attack

US automaker General Motors hit with credential stuffing attack

Social Security numbers and driver’s license details weren’t compromised, the company said.
25 May 2022
Popular Python and PHP libraries altered to steal AWS keys

Popular Python and PHP libraries altered to steal AWS keys

In both cases the attacker appears to have taken over packages that have not been updated in a while.
25 May 2022