The Advanced Persistent Threats Group (APT) Winnti has conducted a “sophisticated and elusive” cyber espionage hacker campaign targeting sensitive proprietary information from technology and manufacturing companies in an operation that has gone unnoticed for years, the report said.
A study by cybersecurity firm Cybereason found that Winnti’s campaign, called Operation CuckooBees, lasted at least 2019 to 2021 and saw Chinese-linked APT targeting companies in East Asia, Western Europe and North America.
Cybereason published a two-part report on the campaign, the first part reviewing Winnti tactics and techniquesand the second provides a more in-depth analysis of the malware and exploits used.
It says Winnti gained a foothold in companies’ systems through vulnerabilities in a popular, unnamed corporate resource planning (ERP) platform, with attackers then deploying a web shell to conduct intelligence and discard credentials. gives lateral movement throughout the network.
“Through years of secret intelligence and identification of valuable data, the group is believed to have managed to filter hundreds of gigabytes of information,” Cybereason said in a statement. blog post. “The attackers targeted intellectual property developed by the victims, including sensitive documents, drawings, diagrams, formulas and their own production-related data.
“In addition, the attackers gathered information that could be used for future cyber attacks, such as details of the target company’s business units, network architecture, user accounts and credentials, employee emails and customer data.
The Winnti group – also known as APT41, Blackfly and BARIUM – has been active since 2010 and, according to Cybereason, has managed to drain huge amounts of corporate data and intellectual property using previously undocumented malware.
It says that this malware includes digitally signed root-level rootkits and a complex multi-stage infection chain, which, although much more likely to collapse due to the interdependence of each component, adds “an extra level of security and stealth “, which allows the operation to remain undetected at least from 2019.
The new strain of malware discovered by Cybereason is called DEPLOYLOG, which is used in conjunction with newer versions of the already known Winnti malware, including Spyder Loader, PRIVATELOG and WINNKIT.
Cybereason said the rare misuse of the Windows Common Log File System (CLFS) mechanism, as well as Winnti’s manipulation of Microsoft’s new technology file system (NTFS), also helped the APT group hide its payloads and avoid detection by traditional security products.
“CLFS uses its own file format, which is not documented and can only be accessed through the functions of the CLFS API,” it said. “At the time of writing, there is no tool to analyze the cleared log files. This is of great benefit to attackers, as it makes it difficult to investigate and detect them while using the CLFS mechanism.
Due to the complexity, invisibility and complexity of the attacks, it was difficult to estimate the exact number of companies affected by Operation CuckooBees, Cybereason said. “Over the years, there have been numerous reports from the US Department of Justice [DoJ] allegations linking Winnti to large-scale IP theft operations. Cybereason researchers believe that dozens of other companies are potentially affected by this or similar campaigns conducted by Winnti, “it said.
“Cyber espionage does not usually generate the same degree of panic or media attention as other cyber attacks, but lack of attention does not make it any less dangerous. A malicious campaign that has been silently stealing intellectual property for years is extremely costly and could have consequences for years to come. “
In September 2020, the Ministry of Justice filed charges against five Chinese and two Malaysian citizens in connection with the Winnti attacks targeting more than 100 organizations around the world.
The attacks targeted software developers and manufacturers of computer hardware, telecommunications, social media platforms, video game companies, nonprofits, universities, think tanks and government agencies, as well as members of the Hong Kong Democratic Movement. It is believed that UK government agencies were targeted – but not successfully compromised – during the campaign.
The justice ministry said Winnti’s raids had facilitated other criminal schemes, including the introduction of anti-ransom software and illegal cryptocurrency mining. Charges against the group include conspiracy, wiretapping, identity theft, money laundering and violations of the Computer Fraud and Abuse Act.