Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Evidence Mounts for Chinese Hacking ‘Quartermaster’
A probable Chinese nation-state threat actor compromised Visual Studio Code and Microsoft Azure cloud infrastructure to target Western technology firms for espionage, security firms Tinexta Cyber and SentinelLabs said.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The campaign, which the companies dubbed Operation Digital Eye, ran from June to July to hack unnamed IT service providers located in southern Europe. The companies offer data management, infrastructure, and cybersecurity solutions for a range of industries.
Hackers tunneled command-and-control traffic by abusing the Visual Studio Code Remote Tunnels extension. They further hid activity by sourcing infrastructure exclusively within Europe, from U.K.-based provider M247 and Microsoft Azure. Because the hackers used a Visual Studio Code executable digitally signed by Microsoft, and because the C2 traffic stayed within Europe and flowed to legitimate sources, “attackers made the traffic appear legitimate, which can be challenging to detect and may evade security defense.”
The motive of the campaign was to maintain a “sustained presence” within the compromised, organizations. By targeting service providers, hackers could have spread across the supply chain and infiltrate client companies. The initial attack vector was SQL injection, followed by a PHP-based webshell. Attackers further disguised their activities by using custom names for the webshell tailored to the infilitrated network, making them appear legitimate.
one tell the hacklers left was a propensity to name malware tools using the pattern do., as in do.log to record the output of ping commands or do.exe, a tool for extracting and exfiltrating credentials.
Researchers said it was impossible to attribute the hackers to a specific threat group, partially because the Chinese state hacking involves groups sharing similar tooling. Available evidence suggests that an organization within, or connected to, the Chinese government disseminates hacking tools to multiple cyberespionage hacking groups, some of whom are private sector contractors (see: US Indicts, Sanctions Alleged Chinese Sophos Firewall Hacker).
A pass-the-hash tools used in Operation Digital Eye appeared to come from the same closed-source originator of custom variations of Mimikatz seen in other campaigns that likely trace to Beijing. Sentinel Labs refers to those Mimikatz modifications as “minCN.”
Custom minCN variants have been part of campaigns linked to Chinese threat actors tracked as Granite Typhoon and APT41, as well as possibly to APT10 and Lucky Mouse.
Another reason researchers didn’t want to attribute the hacking to a single group: They found instructions left for a separate team of operators within captured mimCN samples telling a next wave of hackers to perform functions such as inputting a command or IP address.
“Combined with the presence of overlapping mimCN samples across various intrusions attributed to China-nexus APT groups and distributed over years, this suggests that mimCN is likely the product of an entity responsible for maintaining and provisioning tools to multiple clusters within the Chinese APT ecosystem,” the two cybersecurity companies wrote.