Chinese APT Data-Harvesting Campaign AnalyzedNation-State Chinese Groups APT27, APT41 Likely Candidates
Earlier this month, cybersecurity company McAfee Enterprise's Advanced Threat Research team, working with McAfee's Professional Services IR team, reported that an APT campaign dubbed Operation Harvest had been in operation for years. The threat actor is suspected to be a nation-state Chinese group, and APT27 and APT41 are reportedly the most likely candidates.
While a McAfee spokesperson declined to identify the victims or the sectors they belonged to, the report notes the implications of the attack.
The adversary uses a combination of known and new malware for their attacks, according to the report's author, Christiaan Beek, who is a lead scientist at McAfee.
The report notes how this adversary "mostly seems to work from Monday to Thursday and typically during office hours, albeit with the occasional exception."
The threat actor, according to the report, gained initial access by compromising a victim’s web server by exploiting public-facing vulnerabilities for initial access. The threat actor used Winnti malware, known to be used in DNS tunneling by several adversaries - but it is also reportedly used distinctive new backdoors or variants of existing malware families.
The attackers then installed software to help collect information about the victim's network, move laterally through the system and execute malicious files and help store tools, including:
- Mimikatz: an open-source pentesting tool that allows users to view and save authentication credentials;
- PsExec: a Microsoft tool that allows runs processes remotely using any user's credentials;
- Procdump: a tool that supports monitoring of hung windows and unhandled exceptions;
- RottenPotato: an open-source tool that is used to access a privileged token - for example, “NT AUTHORITYSYSTEM” - to be able to execute tasks with system rights;
The adversary, the report adds, used privilege escalation exploits to steal credentials and move on to other systems.
"For me, what stands out the most is the long-term presence and updating their tools/malware to stay into the network. Moreover, it is important to note that the actors maintained persistence within the environment for this period," Beek tells Information Security Media Group. He did not specify how many years he believes the adversary has been operating.
The researcher also discovered a "very strong overlap" with an undisclosed 2019-20 campaign. An analysis of the campaigns demonstrates the adversary was evolving, the report says.
The adversary was interested in stealing proprietary intelligence that could be used for military or intellectual property/manufacturing purposes, the report says.
"The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions," it says.
Beek says he believes that the Chinese threat actor had plans to acquire over a long period of time the intelligence needed to make political/strategic or manufacturing decisions.
Some of the other implications include economic benefit, in lieu of extracting business confidential data, Beek tells ISMG.
Over the past year, attackers have increasingly used initial access vectors other than spear-phishing, such as compromising remote access systems or supply chains, according to a separate McAfee blog post.
The exploitation of public-facing vulnerabilities for initial access is a technique associated with Operation Harvest and other APT groups to gain entry, the researchers say.
Javvad Malik, lead security advocate at security awareness training platform KnowBe4, supports this contention.
"It [compromising public-facing servers] is probably only second to social engineering. That is why a robust vulnerability management plan is essential for all organizations - despite it being a challenging task," he says.
While intellectual property theft can be the goal, oftentimes, it is stolen to use as leverage to extort more money with ransomware, he says. The victim organization may not even be the end goal, but rather one step in the path to get to another organization in the supply chain, he adds.
In the attack scenario described by McAfee, patching and monitoring could have prevented the initial foothold from taking place, Malik says.
"It's important to take a risk-based approach and focus on high-value systems, devices and accounts, and work back from there. The use of honeypot or deception technologies can also be useful in stalling attacks and getting reliable alerts,” he adds.