In mid-2024, a large U.S. organization with sizeable operations in China was targeted by a persistent attack thought to originate from Chinese actors. The reported intrusion lasted four months, from April to August, with the apparent purpose of gathering intelligence.
Evidence from analyzing the anatomy of the attack suggests connections to China-based threat and espionage groups. The rise of state-sponsored cyberattacks has far-reaching implications. Looking into an intrusion like this can reveal some of the common tactics and potential consequences of these attacks, shining a light on complex international threats.
Timeline of the Intrusion
The first evidence of this intrusion was detected on April 11th, 2024, though there is a possibility that the initial intrusion into the network occurred before then. The malicious activity within the network continued through August 2024, including lateral movement that compromised multiple devices.
Among other machines, the attackers targeted Exchange Servers, which suggests an intent to harvest emails in order to gather intelligence. They also used tools to exfiltrate data from the target organizations. The original vector of infection is not known for sure, but the first suspicious activity detected in this attack was a suspicious command execution on one of the targeted computers.
Attack Attribution: The China Connection
One of the techniques used in the attack, DLL sideloading, is commonly favored by China-based groups in attacks like this. The same U.S. organization compromised in this attack was also targeted in 2023 in another attack with links to Daggerfly, a China-based threat group. File names and types used in the intrusion also share similarities with previous campaigns launched by Crimson Palace, a China-based espionage group. The previous attacks targeting Southeast Asia leveraged the file textinputhost.dat and executable rc.exe, and these artifacts were also used in this attack.
It is difficult to positively attribute the source of this intrusion, but certain details of the attack point to a connection with Chinese threat actors and groups. “The overlap with Crimson Palace and Daggerfly activity points to coordination or shared resources among Chinese groups,” says Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, a Plano, Texas-based provider of Managed Detection and Response (MDR) cybersecurity solutions.
Tactics, Techniques, and Procedures (TTPs)
This persistent attack used a variety of methods over the course of several months, including:
- DLL side-loading, a technique that manipulates legitimate applications to execute malware payloads by using the DLL search order mechanism.
- Leveraging open-source tools like FTP client and server FileZilla, Python module collection Impacket, and Secure Copy Protocol client PSCP.
- Living-off-the-Land (LotL) techniques, using native software like Windows Management Instrumentation (WMI), PsExec, and PowerShell to carry out malicious activity.
The use of these techniques is common in advanced persistent threat (APT) attacks originating from China-based threat groups. These attacks use sophisticated tactics in combination with each other to maintain access and evade detection over long periods of time.
The Mystery of Initial Access
Detecting the execution of a suspicious command in WMI was the first indication of this attack, but not necessarily the beginning of the intrusion. The entry point is unknown, but this first detected activity was a command originating from another machine within the same network, suggesting that the attackers had already gained access to one or more devices prior to detection.
While it is unknown how the attackers first infiltrated the network, the initial breach may have involved any of a number of common tactics, including “spear-phishing, supply chain compromise, or exploitation of vulnerabilities,” according to Guenther. There are many ways that a threat actor can obtain initial access to the target network, from hacking to social engineering.
Implications for the Victim and Broader Cybersecurity Landscape
The target organization’s significant presence in China, combined with the tactics used in the attack, points to potential financial or corporate espionage motives. The attackers used methods associated with data harvesting and exfiltration, which they could sell for a profit or use to gain a competitive edge over the target organization in the market. This could have broad implications for many other organizations with sizeable international presences.
Geopolitical circumstances can contribute to a rise in attacks like this, as organizations with international operations may struggle to maintain their presence and protect their valuable assets in the face of international tensions. Competition and rivalry with international corporations may be stoked by geopolitical factors, and state-sponsored threat actors and groups often have extensive resources at hand to launch advanced and effective attacks.
Lessons Learned and Recommendations
This attack demonstrates the ability of threat groups to maintain a persistent presence within an organization’s network without being detected. It highlights the importance of implementing cybersecurity measures with early threat detection and incident response capabilities to reduce the chances of a threat like this going undetected for so long.
The LotL techniques used in this attack represent another angle that organizations must think about when building defense strategies. Many cybersecurity tools and solutions are not designed to detect threats or suspicious activity in native software, making it a profitable avenue for bad actors to use in their attacks. Robust monitoring is required to prevent these tactics taking advantage of the target device’s own applications.
Organizations are recommended to take steps to fortify their defenses against APTs. This includes employing tools and practices like strong password hygiene, endpoint protection, identity and access management, and regular patching and updating.
A Wake-Up Call for Cybersecurity Preparedness
In light of this attack and others like it, it is more important than ever for organizations to be prepared to face APTs. These intrusions can cause immense damage to an organization, endangering sensitive data, compromising valuable systems, and disrupting vital operations. State-sponsored cyber threats are on the rise, and increased collaboration and intelligence sharing between organizations is a crucial part of defending against these attacks.
