US Organization in China Falls Victim to Suspected Chinese Espionage Campaign

by do son · December 6, 2024

A recent report from the Symantec Threat Hunter Team reveals a troubling cyberespionage operation targeting a large US organization operating in China. The attack, suspected to be the work of a China-based threat actor.

The attackers gained a persistent foothold within the organization’s network, likely for intelligence gathering purposes. As the report states, “The attack was likely carried out by a China-based threat actor, since some of the tools used in this attack have been previously associated with Chinese attackers.” The intrusion, which began as early as April 2024 and continued until August 2024, involved sophisticated tactics and tools to move laterally across the network, compromising multiple computers, including Exchange Servers.

DLL Sideloading and Living off the Land Tactics Employed

The attackers employed a combination of techniques to achieve their objectives, including DLL sideloading and living off the land. They leveraged legitimate applications like GoogleToolbarNotifier.exe and iTunesHelper.exe to load malicious DLLs, effectively masking their activity.

Furthermore, the attackers utilized readily available tools like Impacket, FileZilla, and PSCP, along with native Windows tools such as WMI, PsExec, and PowerShell. “The attackers also leveraged several living-off-the-land tools,” the report notes, “[including] WMI (Windows Management Instrumentation), PsExec, [and] PowerShell.” This approach allowed them to blend in with normal network activity and evade detection.

Kerberoasting and Data Exfiltration

Evidence suggests the attackers engaged in Kerberoasting, a technique used to steal credentials for service accounts, potentially granting them access to privileged accounts for lateral movement. The report highlights a command used in the attack: “$ProgressPreference=’SilentlyContinue’;setspn.exe -T medin.local -Q */* | Select-String ‘^CN’ -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }“

The attackers also deployed exfiltration tools, indicating that sensitive data was stolen from the organization. On one compromised machine, a web server, the attackers utilized FileZilla and PSCP to download files from a remote host, likely for exfiltration purposes.

Links to Known Chinese Threat Actors

The Symantec report points to several indicators linking the attack to known Chinese threat actors. “Aside from the fact that DLL sideloading is a widely favored tactic among Chinese groups,” the report explains, “the same organization was targeted in 2023 by an attacker with tentative links to the China-based Daggerfly group.”

Additionally, the use of the file “textinputhost.dat” further strengthens the connection to Chinese espionage activity. This file has been previously associated with the Crimson Palace group, known for targeting organizations in Southeast Asia.