A large U.S. organization with significant operations in China fell victim to a sophisticated cyber attack, likely orchestrated by China-based hackers.
The intrusion, which lasted for four months from April to August 2024, allowed the attackers to maintain a persistent presence on the organization’s network, primarily for intelligence gathering purposes.
The attack began in April 2024 and continued until August 2024. The hackers compromised multiple computers within the organization’s network, including Exchange Servers, suggesting a focus on email harvesting.
While besides this, security experts at Symantec observed that the attackers employed a variety of sophisticated techniques:-
- DLL-sideloading: Legitimate applications like GoogleToolbarNotifier.exe and iTunesHelper.exe were used to load malicious DLLs.
- Impacket: An open-source collection of Python modules for manipulating network protocols.
- FileZilla and PSCP: Used for potential data exfiltration.
- Living off the land tools: WMI, PsExec, and PowerShell were leveraged for lateral movement and command execution.
Technical Analysis
At least five machines were compromised, with attackers focusing on gathering network information, dumping credentials, and targeting Exchange Servers.
Several factors point to a China-based threat actor:-
- Use of DLL sideloading, a tactic favored by Chinese groups.
- Previous targeting of the same organization in 2023 by an attacker linked to the China-based Daggerfly group.
- Presence of the file “textinputhost.dat,” previously associated with the Chinese espionage group Crimson Palace.
The attack appears to have been primarily focused on intelligence gathering. The compromised Exchange Servers suggest that email data was a primary target for exfiltration.
The persistent nature of the attack and the sophisticated tools employed indicate a well-resourced and determined adversary.
This incident highlights the ongoing cyber threats faced by U.S. organizations operating in China and underscores the need for robust cybersecurity measures, particularly for those with significant international presence.