Chinese APT Group Ran Multi-year Cyber Espionage Operation, Stole U.S. Trade Secrets


Boston-based cybersecurity company Cybereason has uncovered a massive and long-running cyber espionage campaign, dubbed Operation CuckooBees, carried out by China’s Winnti APT group. Members of the group were previously indicted for stealing intellectual property information from U.S. organizations.

Security researchers at Cybereason on Wednesday disclosed the existence of a cyber espionage campaign conducted by Chinese threat actors. The cybersecurity company’s findings yet again substantiate what the U.S. was fretting over, i.e., the theft and outflux of intellectual property developed in the country.

Cybereason attributed the sophisticated cyber espionage campaign, dubbed Operation CuckooBees, to the Winnti Advanced Persistent Threat (APT) group with “moderate-to-high confidence.” Also known as APT41, BARIUM, and Blackfly, the group is notorious for stealing proprietary information and is believed to be associated with the Chinese state.

Such is the persistence of Operation CuckooBees that the malicious campaign has remained undetected since at least 2019. It is unclear if the cyber espionage campaign precedes 2019. The group, however, has existed since 2010.

Winnti’s goal is to siphon off proprietary information, trade secrets, R&D documents, source code and blueprints for various technologies, etc. “The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data,” wrote the Cybereason Nocturnus Incident Response Team.

Targets and victims include dozens of technology and manufacturing companies, primarily from East Asia, Western Europe, and North America. “With years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group managed to exfiltrate hundreds of gigabytes of information,” Cybereason added.

The APT group exploits both known and unknown vulnerabilities in a popular Enterprise Resource Planning (ERP) solution. Winnti also exploits a native Windows remote management feature, WinRM over HTTP/HTTPS, as a backup entry point.

The malware strain used by Winnti, called DEPLOYLOG, is new and undocumented. The APT group also uses newer versions of known Winnti malware, including Spyder Loader, PRIVATELOG, and WINNKIT. Cybereason provided the following list of malware available in the Winnti arsenal:

  • Spyder: A sophisticated modular backdoor
  • STASHLOG: The initial deployment tool “stashing” payloads in Windows CLFS 
  • SPARKLOG: Extracts and deploys PRIVATELOG to gain privilege escalation and achieve persistence
  • PRIVATELOG: Extracts and deploys DEPLOYLOG
  • DEPLOYLOG: Deploys the WINNKIT Rootkit and serves as a userland agent 
  • WINNKIT: The Winnti Kernel-level Rootkit

However, the biggest straw for cyber espionage is that the perpetrator remains undetected to enjoy unhindered access to the target organization’s resources. Winnti managed to conceal itself and stay hidden from security products for over three years by using the Windows CLFS logging mechanism and NTFS transaction manipulations.

See More: News Corp Hackers Suspected to be Associated with the Chinese State

Cybereason explained that all this was executed in a multi-phased manner. “The malware authors chose to break the infection chain into multiple interdependent phases, where each phase relies on the previous one in order to execute correctly,” the company said.

“This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order.”

Winnti Kill Chain | Source: CybereasonOpens a new window

An expansive drill down into Operation CuckooBees by Cybereason is available hereOpens a new window .

Theft of intellectual property is considered unethical on top of being illegal. The U.S. has previously charged and indicted multiple Chinese nationalsOpens a new window , including members of Winnti APT group, for carrying out technology and economic espionage. According to the FBIOpens a new window , “China is the world’s principal infringer of intellectual property, and it uses its laws and regulations to put foreign companies at a disadvantage and its own companies at an advantage.”

Cybereason pointed out, “Cyber espionage doesn’t usually generate the same degree of panic or media attention as other cyberattacks, but the lack of attention doesn’t make it any less dangerous. A malicious campaign that silently steals intellectual property for years is exceptionally costly and may have repercussions for years to come.”

How costly Operation CuckooBees was is difficult to ascertain, but the multi-year-long cyber espionage campaign possibly wiped out victims’ competitive advantage over Chinese organizations.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!