Cybereason Discloses Attack Vector Used by Chinese Cybergang to Steal IP

The Cybereason Nocturnus Incident Response Team today divulged how cybercriminals affiliated with the Chinese Winnti APT group compromised enterprise resource planning (ERP) applications in Windows environments.

Dubbed Operation CuckooBees, the cyberespionage attacks have siphoned intellectual property and sensitive data from these types of applications since 2019. The group has exfiltrated hundreds of gigabytes of data that included blueprints, diagrams and formulas, according to Cybereason researchers.

Attackers also collected information that could be used for future cyberattacks or to potentially extort or blackmail individuals by threatening to publicly disclose sensitive data.

Assaf Dahan, senior director of threat research for the Cybereason Nocturnus Incident Response Team, said the Winnti APT group also known as APT 41, BARIUM and Blackfly, is a Chinese state-sponsored entity that specializes in cyberespionage. In this attack, Winnti leveraged both known and previously undocumented malware exploits, including digitally signed kernel-level rootkits, bootkits and evasive techniques to conduct a multi-stage compromise of supply chains. Other elements of the Winnti APT group arsenal included Spyder, a sophisticated modular backdoor; STASLOG, a deployment tool for “stashing” payloads in Windows CLFS and SPARKLOG, a tool to extract and deploy PRIVATELOG to gain privilege escalation and achieve persistence and that is used to deploy the Winnti Kernel-level Rootkit. That approach enabled the group’s activities to remain undetected for years, noted Dahan.

The Cybereason Nocturnus Incident Response Team spent two years uncovering the attack vector; it is only the latest in a series of efforts to steal trillions of dollars in intellectual property, added Dahan.

There is, of course, nothing new about attempts to steal intellectual property. It’s been going on since long before agents acting on behave of the British government surreptitiously brought seeds from China to India to grow tea. The U.S., in turn, fueled an entire cotton industry by illicitly gaining access to the cotton gin from sources in England. The scale of those efforts is now much greater with nearly every country in the world participating in varying degrees of cyberespionage.

It is also hard to estimate the exact number of companies affected by Operation CuckooBees because of the complexity, stealth and sophistication of the attacks, but Winnti is one of the most notorious groups involved in such efforts, noted Dahan. Multiple individuals associated with the cyberespionage gang have already been indicted to little avail.

Just how secure ERP applications are is unknown, but many organizations are running older versions of these applications that could be easily compromised. Regardless of version, however, once the login credentials of an ERP application are compromised, there is no level of security that would prevent a malicious actor from gaining access to sensitive data. The challenge then becomes using tools to detect threats and limit the blast radius of a breach as quickly as possible.

ERP applications are, of course, high-value targets. The challenge is that many organizations are still primarily focused on securing the network perimeter rather than the application environment, Cybercriminals have become adept at leveraging a wide range of techniques to embed malware in application environments that might lay dormant for months before being activated. In fact, most organizations—whether or not they want to admit it—should assume that those application environments are already compromised.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard