Cuckoo Spear Threat Alert: APT10 Targets Japan’s Critical Infrastructure
A newly published threat analysis report from Cybereason Security Services reveals “Cuckoo Spear,” a sophisticated and persistent cyber espionage campaign targeting Japanese companies and critical infrastructure sectors. The campaign, attributed to the Chinese state-backed advanced persistent threat (APT) group APT10, has been active for an estimated two to three years, highlighting the group’s advanced tradecraft and ability to evade detection.
APT10, a Chinese state-sponsored cyber espionage group active since 2006, has been implicated in numerous high-profile cyber-attacks. Their focus is on supporting Chinese national security goals by gathering intelligence on critical infrastructure sectors such as communications, manufacturing, and public sectors.
The Cuckoo Spear campaign, as revealed by Cybereason, involves the use of APT10’s old arsenal, such as LODEINFO malware, alongside new tools like NOOPDOOR. This campaign has been linked to incidents involving Threat Actors like Earth Kasha and MirrorFace.
Since December 2019, the cybersecurity landscape has been continually challenged by the LODEINFO malware. Recent investigations by Cybereason suggest that APT10 has incorporated a new malware family, NOOPDOOR, into their toolkit. NOOPDOOR is a 64-bit modular backdoor that employs DGA-based C2 communication and is loaded by NOOPLDR, which decrypts and executes the malware.
The combination of LODEINFO and NOOPDOOR has allowed APT10 to maintain persistence within compromised networks for extended periods, exfiltrating sensitive data and enabling further attacks.
Cybereason’s analysis reveals that the Threat Actors behind Cuckoo Spear employ a variety of techniques to maintain persistence and evade detection:
- Scheduled Tasks: Abusing Scheduled Tasks to execute MSBuild, which loads and compiles the NOOPDOOR loader at runtime.
- WMI Consumer Events: Leveraging WMI event consumers to trigger actions and execute malicious scripts, maintaining persistence through MSBuild execution.
- Windows Services: Creating malicious services that load unsigned DLL files to ensure continuous presence within the environment.
These techniques, coupled with spear-phishing and exploiting vulnerabilities, allow the attackers to infiltrate and persist in target networks effectively.
To combat the Cuckoo Spear threat, Cybereason recommends implementing robust security protocols, continuous monitoring for suspicious activities, and collaboration with cybersecurity experts. The following strategies are essential for detecting and mitigating these sophisticated threats:
- Hunting Queries and IOCs: Utilizing hunting queries and Indicators of Compromise (IOCs) provided in the Cybereason report to identify Cuckoo Spear activity.
- Incident Response: Engaging a dedicated Incident Response team to contain, eradicate, and recover from the threat. This includes preparing a clean network, disabling internet access, blocking C2 domains and IPs, resetting passwords, and rebuilding infected machines.
- Persistent Monitoring: Continuously monitoring networks for signs of intrusion and employing advanced threat intelligence to stay ahead of evolving threats.
