A sophisticated cyber espionage campaign, codenamed Operation Digital Eye, has been attributed to a suspected China-linked threat group. The campaign targeted major B2B IT service providers in Southern Europe, leveraging Microsoft's Visual Studio Code Remote Tunnels for command-and-control (C2) operations.
.webp)
The Attack Campaign
The intrusions, spanning from late June to mid-July 2024, were detected and mitigated before data exfiltration could occur. This revelation comes from a joint report by SentinelOne's SentinelLabs and Tinexta Cyber.
"The intrusions could have allowed the attackers to establish strategic footholds and compromise downstream entities," stated Aleksandar Milenkoski and Luigi Martire, the researchers behind the report.
The attackers utilized Visual Studio Code Remote Tunnels and Microsoft Azure infrastructure to blend their malicious activities with legitimate network traffic, making detection more challenging.
Key Findings
Weaponizing Visual Studio Code Remote Tunnels
The attackers exploited this legitimate feature, designed for remote access to endpoints, enabling them to execute arbitrary commands and manipulate files. By abusing public cloud infrastructure and trusted executables, the adversaries disguised their activity as normal network traffic.Initial Attack Vector: SQL Injection
The attackers used SQLmap, a legitimate penetration testing tool, to exploit SQL injection vulnerabilities in internet-facing applications and database servers. After gaining access, they deployed a PHP-based web shell called PHPsert, allowing persistent remote access.Post-Exploitation Activities
Once inside the networks, the attackers carried out reconnaissance, credential harvesting, and lateral movement using tools like Remote Desktop Protocol (RDP) and custom-modified versions of Mimikatz for pass-the-hash attacks.These custom Mimikatz modifications, collectively known as mimCN, share code with tools previously linked to Chinese cyber espionage campaigns like Operation Soft Cell and Operation Tainted Love.
Advanced Techniques
The attackers leveraged GitHub accounts to authenticate and connect to Visual Studio Code Remote Tunnels, accessing compromised endpoints through the browser-based version of Visual Studio Code (vscode.dev).
Evidence of a China Nexus
Several indicators point to Chinese threat actor involvement:
- Simplified Chinese comments within PHPsert.
- Infrastructure linked to Romanian hosting provider M247.
- Use of Visual Studio Code as a backdoor, a tactic previously associated with the Mustang Panda group.
- Activity patterns aligning with Chinese working hours (9 a.m. to 9 p.m. CST).
Additionally, the ongoing evolution of mimCN samples and the use of shared tools suggest a centralized "digital quartermaster" within the Chinese APT ecosystem, responsible for maintaining and distributing these tools.
Strategic Implications
The campaign highlights the strategic importance of targeting IT service providers, which act as gateways to the digital supply chain. By breaching these organizations, attackers can indirectly compromise downstream entities, amplifying their reach.
The abuse of trusted tools like Visual Studio Code underscores the practical and solution-oriented approaches of Chinese APT groups. By leveraging legitimate development tools and infrastructure, these actors effectively evade detection and conduct long-term espionage.
Conclusion
Operation Digital Eye serves as a stark reminder of the evolving tactics employed by advanced threat groups. Organizations must prioritize monitoring legitimate tools and infrastructure for signs of abuse, ensuring that even trusted platforms don’t become blind spots in their security strategies.