Researchers have uncovered a major cyberattack that targeted a U.S. firm for four months. The attack is suspected to have been carried out by Chinese hacker groups, possibly with state backing. The hackers employed advanced techniques to infiltrate the company’s systems, remaining hidden for months, leading to concerns over data theft or operational disruption. The findings highlight the growing threat of cyberattacks attributed to nation-state actors.
Key points:
Targeted U.S. Firm: A large U.S. organization, with significant operations in China, was the target of a four-month cyberattack between April and August 2024, potentially starting earlier.
Attack Details: The attackers moved laterally across the organization’s network, compromising multiple computers, including Exchange Servers. They deployed exfiltration tools, indicating data theft, and were likely harvesting email data.
Chinese Hacker Links: The attack is attributed to a Chinese threat actor, based on tactics like DLL side-loading, a method linked to Chinese hacking groups. Artifacts found were similar to those used in a prior state-sponsored operation, Crimson Palace.
Previous Attack: In 2023, the organization had also been targeted by a different Chinese-linked group, Daggerfly (also known as Bronze Highland, Evasive Panda, and StormBamboo).
Tactics Used: The attack involved common hacking tools such as FileZilla, Impacket, and PSCP, as well as living-off-the-land (LotL) techniques like PowerShell, WMI, and PsExec.
Unknown Initial Access: While the exact method of network breach is unclear, evidence suggests that attackers compromised at least one system on network before April 11.
Focus on Exchange Servers: The attackers were particularly interested in targeting Exchange servers to collect and exfiltrate email data.
Chinese Cyber Ecosystem: The attack reflects broader trends in China’s cyber operations, where state-sponsored hackers often use fake companies to hide their activities and recruit personnel for cyber operations.