cyber attack Photo:VCG

National Computer Network Emergency Response Technical Team Center of China (known as CNCERT) released two investigative reports on Friday,MK sport exposing two recent cyberattacks by US intelligence agencies targeting major Chinese technology firms to steal trade secrets.

In one case, the reports revealed that since August 2024, an advanced materials research institute in China has reportedly been targeted by cyberattacks suspected to be orchestrated by US intelligence agencies. Analysis revealed that the attackers exploited a vulnerability in a domestic electronic document security management system to infiltrate the company's software upgrade management server. Through the software upgrade service, they delivered control trojans to over 270 host machines within the company, stealing a significant amount of trade secret information and intellectual property.

The investigative reports released by CNCERT detailed the specific procedures employed in the cyberattacks conducted by US intelligence agencies.

First of all, on August 19, 2024, attackers exploited an injection vulnerability in the electronic document system of the unit to infiltrate the system and stole the administrator account/password information. On August 21, the attackers logged into the management backend of the attacked system using stolen administrator account credentials.

On August 21, attackers deployed a backdoor program and a customized trojan program for receiving stolen data within the electronic document system. To evade detection, these malicious programs only existed in memory and were not stored on the hard drive. The trojan program was used to receive sensitive files stolen from the compromised personal computers of the involved unit. The backdoor program was used to aggregate the stolen sensitive files and transmit them abroad.

On November 6 and 8, attackers exploited a software upgrade feature of the electronic document server to implant a specialized trojan program into 276 hosts of the unit. 

The main functions of the trojan program are: first, to scan sensitive files on the implanted hosts for theft; second, to steal the login credentials and other personal information of the attacked individuals. The trojan program is used and then deleted immediately.

The attackers repeatedly logged into the software upgrade management server using IP proxies located within China and utilized this server to infiltrate the internal network hosts of the victim organization. They conducted repeated comprehensive scans of the hard drives of these internal network hosts to identify potential attack targets and gain insight into the organization's work content.

From November 6 to 16, the attackers used three different proxy IPs to invade the software upgrade management server three times, implanting trojans into personal hosts. These trojans were embedded with specific keywords highly relevant to the victim organization's work content. Once files containing these specific keywords were located, the corresponding files were stolen and transmitted abroad. The keywords used in these three espionage activities were all different, indicating that the attacker had made careful preparations before each attack, demonstrating a strong level of targeting. A total of 4.98GB of important commercial information and intellectual property documents were stolen during these three espionage acts.

The report also revealed several features of the cyberattacks, ranging from attacking time, recourses, attacking weapons and their attacking tactics as well as Ip addresses involved. 

Additionally, a large high-tech enterprise specializing in smart energy and digital information has reportedly been under similar attacks since May 2023. Analysis indicated that the attackers used multiple overseas proxies to exploit a vulnerability in Microsoft Exchange, gaining control of the company's email server and implanting backdoor programs to continuously steal email data. At the same time, the attackers used the email server as a launch point to attack and control over 30 devices belonging to the company and its subsidiaries, stealing a large amount of trade secret information.

The CNCERT investigative report showed that in this case, the company's email server uses the Microsoft Exchange email system. The attackers exploited two vulnerabilities in Microsoft Exchange to carry out the attack. First, they used a vulnerability that allowed impersonation of any user to target a specific account, and then they exploited a deserialization vulnerability to execute arbitrary code.

To avoid detection, the attackers implanted two attack tools in the email server that only run in memory and are not stored on the hard drive. They utilized virtualization technology. The main functions of the attack tools include sensitive information theft, command execution, and internal network penetration. The internal network penetration program evades detection by security software through obfuscation, forwarding the attacker's traffic to other target devices to achieve the goal of attacking other devices within the internal network, according to the report.

The attacker used the email server as a springboard, employing internal network scanning and penetration techniques to establish a covert encrypted transmission tunnel within the internal network. They logged into and controlled more than 30 important devices of the company through methods such as SSH and SMB, stealing data in the process. 

These devices included personal computers, servers, and network equipment. The controlled servers included the email server, office system server, code management server, testing server, development management server, and file management server, among others. To achieve persistent control, the attacker implanted a covert data theft weapon capable of establishing a websocket + SSH tunnel in the relevant servers and the network administrator's computer, enabling the covert forwarding of attacker commands and data theft. To avoid detection, this data theft program disguised itself as a WeChat-related program named WeChatxxxxxxxx.exe. The attacker also implanted two modular malicious programs in the victim's servers that utilized PIPE for inter-process communication, establishing a communication pipeline.

The investigative report showed the attackers stole large amount of sensitive emailing data. The attacker gained control of the computers of three network administrators at the company, frequently stealing account credentials and configuration information for the company's core network devices.

The attacker frequently stole relevant development project data from the company's code server, development server, and other systems through attacks, with the total amount of stolen data reaching 1.03GB.


Global Times