Operation Digital Eye: Chinese APT Exploits Visual Studio Code Tunnels in High-Stakes Espionage Campaign
In a sophisticated cyberespionage campaign dubbed Operation Digital Eye, SentinelOne and Tinexta Cyber uncovered activities linked to a Chinese Advanced Persistent Threat (APT) group targeting large business-to-business IT service providers in Southern Europe. The campaign, conducted between late June and mid-July 2024, leveraged advanced techniques, including the abuse of Visual Studio Code Remote Tunnels, to compromise critical digital infrastructure.
The attackers employed novel methods, making this the first documented instance of a suspected Chinese APT exploiting Visual Studio Code tunnels for command-and-control (C2) purposes. As SentinelOne reported: “Visual Studio Code tunneling involves executables signed by Microsoft and Microsoft Azure network infrastructure, both of which are often not closely monitored and are typically allowed by application controls and firewall rules.” This approach enabled the attackers to maintain persistent backdoor access while evading detection.
The campaign primarily targeted IT service providers managing critical infrastructure for diverse industries, positioning the attackers to infiltrate the broader digital supply chain. “A sustained presence within these organizations would provide the Operation Digital Eye actors with a strategic foothold,” the report noted.
The abuse of trusted tools like Visual Studio Code and Microsoft Azure infrastructure allowed the attackers to disguise malicious activities as legitimate operations. SentinelOne emphasized: “By leveraging public Cloud infrastructure for malicious purposes, the attackers made the traffic appear legitimate, which can be challenging to detect and may evade security defenses.”
The attackers utilized SQL injection to gain initial access and deployed a custom PHP-based webshell named PHPsert for persistent control. A modified version of Mimikatz, referred to as bK2o.exe, was used for lateral movement through pass-the-hash techniques, reflecting tool-sharing practices within the Chinese APT ecosystem.
The use of Visual Studio Code tunnels for C2 demonstrates how APT groups exploit legitimate technologies to bypass traditional defenses. SentinelOne observed: “The exploitation of widely used technologies, which security teams may not scrutinize closely, presents a growing challenge for organizations.”
Furthermore, the involvement of shared malware like mimCN, used in prior Chinese campaigns such as Operation Soft Cell and Operation Tainted Love, highlights the existence of centralized entities responsible for equipping Chinese APT groups with advanced tooling.
The campaign’s strategic targeting, sophisticated techniques, and exploitation of legitimate tools underscore the critical need for proactive and adaptive cybersecurity measures.
As SentinelOne concluded: “For defenders, this calls for a reevaluation of traditional security approaches and the implementation of robust detection mechanisms to identify such evasive techniques in real time.”
