Advanced persistent threat (APT) group Winnti ran a “sophisticated and elusive” cyber espionage hacking campaign targeting the sensitive proprietary information of technology and manufacturing companies, in an operation that went undetected for years, says a report.
Research from cyber security firm Cybereason found that Winnti’s campaign, dubbed Operation CuckooBees, ran from at least 2019 to 2021, and saw the Chinese state-linked APT group target companies in East Asia, Western Europe and North America.
It said Winnti had gained an initial foothold in companies’ systems through vulnerabilities in a popular, unnamed enterprise resource planning (ERP) platform, with the attackers then deploying a web shell to conduct reconnaissance and credential dumping that gave them lateral movement throughout the network.
“With years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group managed to exfiltrate hundreds of gigabytes of information,” said Cybereason in a blog post. “The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.
“In addition, the attackers collected information that could be used for future cyber attacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails and customer data.”
The Winnti group – also known as APT41, Blackfly and BARIUM – has been active since 2010 and, according to Cybereason, was able to siphon off massive amounts of corporate data and intellectual property using previously undocumented malware.
It said this malware included digitally signed kernel-level rootkits and an elaborate multi-stage infection chain which – despite having a much higher chance of collapse because of the interdependence of each component – added “an extra level of security and stealth” that enabled the operation to remain undetected since at least 2019.
The new malware strain exposed by Cybereason is called DEPLOYLOG, which was used alongside newer versions of already-known Winnti malware, including Spyder Loader, PRIVATELOG and WINNKIT.
Cybereason said a rarely seen abuse of the Windows Common Log File System (CLFS) mechanism, as well as Winnti’s manipulation of Microsoft’s New Technology File System (NTFS), also helped the APT group to conceal its payloads and evade detection by traditional security products.
“CLFS employs a proprietary file format that isn’t documented and can only be accessed through the CLFS API functions,” it said. “As of writing this report, there is no tool which can parse the flushed logs. This is a huge benefit for attackers, as it makes it more difficult to examine and detect them while using the CLFS mechanism.”
Because of the complexity, stealth and sophistication of the attacks, it was hard to estimate the exact number of companies affected by Operation CuckooBees, said Cybereason. “Over the years, there have been multiple reports and US Department of Justice [DoJ] indictments tying Winnti to large-scale IP theft operations. Cybereason researchers believe that dozens of other companies were potentially affected by this or similar campaigns carried out by Winnti,” it said.
“Cyber espionage doesn’t usually generate the same degree of panic or media attention as other cyber attacks, but the lack of attention doesn’t make it any less dangerous. A malicious campaign that silently steals intellectual property for years is exceptionally costly and may have repercussions for years to come.”
In September 2020, the DoJ charged five Chinese and two Malaysian nationals in connection to Winnti attacks that targeted more than 100 organisations around the world.
The attacks targeted software developers and computer hardware manufacturers, telcos, social media platforms, video game companies, non-profits, universities, think-tanks and government agencies, as well as members of Hong Kong’s pro-democracy movement. UK government agencies are understood to have been targeted – but not successfully compromised – during the campaign.
The DoJ said Winnti’s intrusions also facilitated other criminal schemes, including deploying ransomware against targets, and illicit cryptomining. Charges against the group include conspiracy, wire fraud, aggravated identity theft, money laundering and violations of the Computer Fraud and Abuse Act.