Researchers from cybersecurity firm Cybereason recently informed the FBI and the Department of Justice about Operation CuckooBees, an alleged espionage effort by Chinese state-sponsored hackers to steal proprietary information from dozens of global defence, energy, biotechnology, aerospace and pharmaceutical companies.
The organizations affected were not named in Cybereason’s report, but would include some of the biggest companies in North America, Europe and Asia. Cybereason has linked the campaign to the prolific Winnti group, also known as APT 41.
Cybereason CEO Lior Div told The Record that the most alarming aspect of the Operation CuckooBees investigation was the evasive and sophisticated measures used to hide inside the networks of dozens of the largest global manufacturing companies in North America, Europe and Asia as early as 2019. .
“The group operates like a guided missile and once it locks onto its target, it attacks and doesn’t stop until it steals a company’s crown jewels,” Div said.
“Winnti stole thousands of gigabytes of data and, to add insult to injury, also recovered proprietary business unit information, customer and partner data, employee and other personal information to use in blackmail or extortion schemes at a time of their choosing.”
Cybereason said that throughout its 12 months of investigationhe discovered that the intruders had recovered treasure troves of intellectual property and sensitive proprietary data, including formulas, source code, R&D documents and blueprints, as well as schematics of fighter jets, helicopters, missiles, etc.
The attackers also obtained information that could be used for future cyberattacks, such as details of a company’s business units, network architecture, user accounts and credentials, e- employee emails and customer data.
Most concerning, according to Div, was that the companies had no idea they had been breached.
In two detailed reports, Cybereason attributes the attacks to Winnti based on an analysis of digital artifacts the group appears to have left after its intrusions.
Several cybersecurity companies followed Winnti since its emergence in 2010 and experts have noted that the hackers have been operating on behalf of Chinese state interests, specializing in cyber espionage and intellectual property theft.
The group used a previously undocumented malware strain called DEPLOYLOG as well as new versions of malware like Spyder Loader, PRIVATELOG and WINNKIT.
The malware included digitally signed kernel-level rootkits as well as an elaborate multi-step infection chain that allowed the operation to go undetected, Cybereason said.
The group also managed to abuse the Windows Common Log File System (CLFS) mechanism, which allowed intruders to “disguise their payloads and evade detection by traditional security products”.
CLFS is a logging framework that was first introduced by Microsoft in Windows Server 2003 R2 and included in later Windows operating systems.
“The attackers implemented a tricky ‘house of cards’ approach, which means each component depends on the others to perform properly, making it very difficult to analyze each component separately,” explained Div.
The CuckooBees operation generally took advantage of existing weaknesses, Div said, such as “unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts, and lack of use of multi-factor authentication products.” .
Cybereason said attackers gained a foothold in organizations through vulnerabilities in enterprise resource planning platforms.
Last month, FBI Director Chris Wray says 60 Minutes that the “biggest” threat facing US law enforcement comes from Chinese hackers stealing confidential information. The bureau opens a new counterintelligence investigation in China about every 12 hours, he said.
“They are targeting our innovation, our trade secrets, our intellectual property on a scale unprecedented in history. They have a bigger hacking program than all the other major nations combined,” Wray said.
“They stole more personal and corporate data from Americans than all the nations combined. It affects everything from agriculture to aviation to high tech to health care, to just about every sector of our economy. Anything that makes an industry tick, they target.