Report: Chinese Hackers Stole Trillions in Intellectual Property from Multinational Companies
Boston-based security firm Cybereason released a report Wednesday which chronicled a “massive Chinese intellectual property theft operation” dubbed “Operation CuckooBees.”
The operation involved Chinese hackers stealing hundreds of gigabytes of high-tech intellectual property from some 30 multinational corporations, including military technology and pharmaceutical data.
Cybereason said its Nocturnus Incident Response Team discovered the hacker campaign when it was hired to “investigate multiple intrusions targeting technology and manufacturing companies in North America, Europe, and Asia” in 2021.
The team uncovered an “elusive and sophisticated cyber espionage campaign operating undetected since at least 2019,” most likely perpetrated by an Advanced Persistent Threat (APT) group called Winnti.
“Winnti, also known as APT 41, BARIUM, and Blackfly, is a Chinese state-sponsored APT group known for its stealth, sophistication, and focus on stealing technology secrets,” the report explained.
Winnti has been active since at least 2010. Cybereason’s investigators said the group employed new strains of malware for the Operation CuckooBees caper, but also used some of its tried-and-true viruses to open backdoors into targeted computer systems and slowly, quietly extract huge amounts of data.
“Over the years, there have been multiple reports and US Department of Justice (DOJ) indictments tying Winnti to large-scale IP theft operations. Cybereason researchers believe that dozens of other companies were potentially affected by this or similar campaigns carried out by Winnti,” Cybereason said.
Winnti is noted for conducting extensive reconnaissance of targeted systems before its malware is activated and data extraction begins. Cybereason said some of the data pilfered by Operation CuckoBees could be useful for facilitating future attacks.
Cybereason noted in a detailed analysis of the malware used in the attack:
Perhaps one of the most interesting and striking aspects of this report is the level of sophistication introduced by the malware authors. The infection and deployment chain is long, complicated and interdependent — should one step go wrong, the entire chain collapses — making it somewhat vulnerable, yet at the same time provides an extra level of security and stealth for the operation.
The report said it was “hard to estimate the exact number of companies affected by Operation CuckooBees” due to the “complexity, stealth, and sophistication of the attacks.”
“We’re talking about Blueprint diagrams of fighter jets, helicopters, and missiles,” Cybereason CEO Lior Div told CBS News on Wednesday. “We saw them stealing IP of drugs around diabetes, obesity, depression.”
Div said the value of the stolen data could be measured in “trillions, not billions” of dollars.
“The real impact is something we’re going to see in five years from now, ten years for now, when we think that we have the upper hand on pharmaceutical, energy, and defense technologies. And we’re going to look at China and say, how did they bridge the gap so quickly without the engineers and resources?” he warned.
According to Div, Operation CuckoBees remains ongoing.
Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
May 4, 2022 | 11 minute read
In 2021, the Cybereason Nocturnus Incident Response Team investigated multiple intrusions targeting technology and manufacturing companies located in Asia, Europe and North America. Based on the findings of our investigation, it appears that the goal behind these intrusions was to steal sensitive intellectual property for cyber espionage purposes.
Cybereason assesses with moderate-high confidence that the threat actor behind the intrusion is the Winnti Group (also tracked as APT41, Blackfly and BARIUM), one of the most advanced and elusive APT groups that is known to operate on behalf of Chinese state interests and whose members have been indicted by the US Department of Justice for severe computer crimes.
Part 1 of this research offers a unique glimpse into the Winnti intrusion playbook, covering the techniques that were used by the group from initial compromise to data exfiltration, as observed and analyzed by the Cybereason IR Team. Part two of this research will offer a deep dive analysis of the group’s tools and unique malware, including undocumented newly discovered Winnti malware.
- Multi-year Cyber Espionage Intrusions: The Cybereason IR team investigated a sophisticated and elusive cyber espionage operation that has remained undetected since at least 2019 with the goal of stealing sensitive proprietary information from technology and manufacturing companies, mainly in East Asia, Western Europe, and North America.
- Newly Discovered Malware and Multi-Stage Infection Chain: Part two of the research examines both known and previously undocumented Winnti malware which included digitally signed kernel-level rootkits as well as an elaborate multi-stage infection chain which enabled the operation to remain undetected since at least 2019.
- Winnti APT Group: Cybereason assesses with moderate-to-high confidence that the threat actor behind the set of intrusions is the Winnti Group, a Chinese state-sponsored APT group known for its stealth, sophistication and a focus on stealing technology.
- The Winnti Playbook: This research offers a unique glimpse into the Winnti intrusion playbook, detailing the most frequently used tactics, as well as some lesser known evasive techniques that were observed during the investigation.
THE WINNTI ATTACK LIFECYCLE
During 2021, Cybereason Nocturnus investigated an elaborate espionage operation targeting a number of prominent organizations in Asia, Europe and North America. Cybereason attributes with moderate-to-high confidence that this operation was carried out by the Winnti APT group (also known as APT41, BARIUM, and Blackfly) – a Chinese state-sponsored APT that has been active since at least 2010.
The attackers’ initial foothold in the organization originated from multiple vulnerabilities in the organizational ERP (Enterprise Resource Planning) platform. From there, the attackers installed persistence in the form of a WebShell and began conducting reconnaissance and credential dumping, enabling them to move laterally in the network. Ultimately, it allowed the attackers to steal highly sensitive information from critical servers and endpoints belonging to high-profile stakeholders.
Analysis of the data available to Cybereason suggests that the goal of the operation was focused on cyber espionage with the aim of stealing proprietary information, R&D documents, source code and blueprints for various technologies.
The attackers managed to go undetected for years by using stealthy techniques combined with state-of-the-art attack and espionage tools which included advanced rootkits.
According to the Cybereason IR investigation, the infection vector that was used to compromise Winnti targets consisted of the exploitation of a popular ERP solution leveraging multiple vulnerabilities, some known and some that were unknown at the time of the exploitation.
One of the first actions that were taken after a successful exploit was an attempt to find a specific DLL file under the VMware Tools folder, gthread-3.6.dll. The DLL file is invoked by the intermediate dropper, and the role of the DLL is to inject the payload into svchost.exe on the targeted system. This TTP has been observed before, and is known to be characteristic of the Winnti group: