A large U.S. organization with significant operations in China was the victim of a sophisticated cyberattack earlier this year.

The attackers gained access to the organization’s network and maintained a persistent presence for several months, likely for the purpose of gathering intelligence. The attack is believed to have been carried out by a China-based hacking group, as the tools and techniques used are associated with previous Chinese cyber espionage operations.

The first signs of the attack appeared in April 2024, and malicious activity continued until at least August 2024. The attackers used a variety of techniques to move through the organization’s network, compromising multiple computers, including Exchange Servers, which suggests they were attempting to gather email data. Exfiltration tools were also found, indicating that data was likely stolen.

Tools and Techniques Used by the Attackers

  • DLL Sideloading: The attackers used legitimate software (like Google and Apple apps) to secretly load malicious files, a technique called DLL sideloading.
  • Impacket: An open-source tool that allows attackers to manipulate network protocols and execute remote commands.
  • FileZilla: A widely-used file transfer tool used by the attackers to potentially steal data.
  • PsExec and PowerShell: These Windows tools helped the attackers move laterally across the network and execute commands on other machines.

The attack unfolded in stages, with the attackers beginning with suspicious commands on multiple machines. For example, on April 11, the attackers used Windows Management Instrumentation (WMI) to execute malicious commands across the network. They also used tools like Impacket and PowerShell to extract sensitive information, including credentials and service account details.

READ
MUT-1244 Cybercrime Campaign: 390,000 WordPress Credentials Stolen in Sophisticated Attack
Buy Me a Coffee

As the attack progressed, the hackers targeted web servers, stole data, and even attempted to access email servers to gather intelligence. Files like GoogleToolbarNotifier and iTunesHelper were used to sideload malicious DLLs, while FileZilla and PSCP were used for data exfiltration.

The attacker’s activity continued with a focus on gaining more privileged access, using techniques such as Kerberoasting to crack passwords of service accounts and escalate their network privileges.

Evidence suggests that this attack was carried out by a Chinese hacker group, as the techniques and tools used match those previously seen in cyberattacks linked to China-based groups, including Daggerfly and Crimson Palace. These groups are known for targeting organizations to steal sensitive information for intelligence purposes.