On December 18, 2024, China’s National Computer Network Emergency Response Technical Team (CNCERT) issued a detailed report uncovering two sophisticated cyberattacks allegedly conducted by the United States against a prominent Chinese technology enterprise. The attacks resulted in the theft of nearly 5 gigabytes of critical commercial information and intellectual property.
A Coordinated Cyber Assault
The CNCERT report outlines a series of deliberate and well-planned cyber intrusions that began in August 2024. On August 19, attackers exploited a vulnerability in the enterprise’s electronic document management system to gain unauthorized access. By stealing the system administrator’s credentials, they infiltrated the backend of the compromised system on August 21.
Subsequently, at noon on the same day, the attackers deployed a backdoor and customized Trojan programs within the system. These malicious programs operated covertly, residing only in memory to evade detection. The Trojans collected sensitive files from compromised personal computers within the organization, while the backdoor aggregated and transmitted the stolen data overseas.
Expansion of the Breach
Between November 6 and 16, 2024, the attackers escalated their efforts by exploiting the software upgrade function of the document server. They implanted specialized Trojan programs into 276 personal computers across the enterprise. These Trojans were designed to scan infected machines for sensitive files, steal login credentials, and gather personal information, deleting themselves after execution to avoid detection.
Massive Theft of Trade Secrets
The attackers conducted comprehensive scans of host machines within the enterprise, utilizing proxy IP addresses based in China to infiltrate the internal network. They meticulously identified potential targets and gathered extensive information about the company’s operations.
During this period, the attackers executed targeted data theft operations, utilizing preprogrammed keywords relevant to the enterprise’s work. When files containing these keywords were identified, they were stolen and transmitted abroad. The attacks were highly specific and well-prepared, indicating a deep understanding of the enterprise’s activities. Over the course of these operations, approximately 4.98 GB of sensitive commercial information and intellectual property were exfiltrated.
Characteristics of the Attacks
The CNCERT report highlights several notable aspects of the cyberattacks:
- Timing: The majority of the attacks occurred between 10 p.m. and 8 a.m. Beijing Time, correlating with standard working hours in the Eastern United States. This timing suggests coordination to maximize efficiency while minimizing the risk of detection.
- Resources: The attackers utilized proxy IP addresses located in Germany, Romania, and other regions, demonstrating a sophisticated understanding of counter-forensics and access to extensive technological resources.
- Tools: Open-source and generic tools were employed to disguise malicious activities. The backdoor programs operated solely in memory, not on hard drives, significantly complicating detection and analysis efforts.
- Techniques: By compromising the software upgrade management server, the attackers manipulated the client distribution process to disseminate Trojans rapidly across the company’s network. This strategic approach enabled large-scale information gathering and highlighted the attackers’ advanced capabilities.
Implications and Response
The revelation of these cyberattacks underscores ongoing concerns about cybersecurity and the protection of trade secrets within the global technology sector. CNCERT’s report reflects China’s commitment to safeguarding its technological enterprises and highlights the need for increased vigilance and international cooperation in combating cyber threats.
As the investigation continues, the affected enterprise is expected to enhance its security protocols and work closely with authorities to prevent future breaches. The incident also raises awareness among other organizations to assess and strengthen their cybersecurity measures proactively.
Reference(s):
China releases report on U.S. cyberattacks targeting a tech enterprise
cgtn.com
