A sophisticated cyber espionage campaign dubbed “Operation Sea Elephant” has been discovered targeting scientific research organizations, with a particular focus on ocean-related studies.
The operation, attributed to a threat actor group known as CNC with South Asian origins, aims to steal valuable research data to ensure regional dominance in the Indian Ocean.
The CNC group has demonstrated significantly enhanced capabilities compared to other Advanced Persistent Threat (APT) groups operating in South Asia.
Their attacks have become increasingly modular and customized, allowing them to evade detection more effectively than their counterparts.
Security experts at Qiaxin discovered the campaign in mid-2024 when they identified an attack collection numbered UTG-Q-011, which shared code with previously known CNC operations.
Researchers have documented that the group primarily gains initial access through carefully crafted spear-phishing emails sent to targeted researchers.
After compromising a system, the attackers move laterally by controlling the victim’s instant messaging applications such as WeChat and QQ to distribute malicious programs to colleagues and associates.
Example of the camouflage image used by the USB propagation module to disguise malicious activity (Source – Qiaxin)
The technical sophistication of Operation Sea Elephant is evident in its various specialized modules.
One notable component is a USB propagation plugin that masquerades as legitimate software.
When analyzing this module, researchers found code that constantly monitors for newly connected USB drives:-
v182 = 0i64; v183 = 15i64; sub_7FF6D68B46B0(Buffer, 0, 0x100ui64) GetLogicalDriveStringsA(0xFFu, Buffer[0].m128i_i8); v29 = Buffer; while ( 1 ) { v30 = *((_QWORD *)&v176 + 1); LABEL_28: if ( !v29->m128i_i8[0] ) break; Size = -1i64; }
The attackers have designed multiple file exfiltration methods that target specific document types.
The system scans for files with extensions including .pdf, .doc, .docx, .ppt, .pptx, and .xls.
Only files larger than 40KB are collected, suggesting the attackers are filtering for documents with substantial content rather than simple placeholders or templates.
Stolen documents from compromised systems revealed the attackers’ interest in multiple marine research areas including inner wave water transport, ocean sequestration, and marine emerging industries.
While the stolen Windows-based documents did not contain production data, they provide foreign intelligence organizations with valuable insights into project progress, technical direction, and strategic planning of targeted research teams.
