Chinese-Sponsored Espionage And Hacking Campaign Found Targeting Hong Kong And Sri Lanka

Spying on other governments' entities no longer involve sending spies behind enemy lines. Instead, governments can employ hackers.

And this time, the China-aligned espionage-focused actor dubbed Winnti (or also known as APT41, Barium, Bronze Atlas, and Wicked Panda), has been found targeting government organizations in Hong Kong as part of an ongoing campaign dubbed Operation 'CuckooBees.'

The campaign was originally found targeting intellectual property from organizations in developed economies.

According to findings by Cybereason in a report back in May 2022, the campaign was meant to siphon secrets from technology and manufacturing companies mainly located in East Asia, Western Europe, and North America.

Among the entities the campaign targets, include healthcare, telecommunications, high-tech, media, agriculture, and education sectors, with infection chains primarily relying on spear-phishing emails with attachments to initially break into the victims' networks.

The intrusions under the Operation CuckooBees campaign, are estimated to have resulted in the exfiltration of "hundreds of gigabytes of information," Cybereason disclosed.

Winnti

This time, the campaign targets those in Hong Kong, that according to the Symantec Threat Hunter team.

In the report, it's suggested that the attackers remained active on some of the compromised networks for as long as a year. The intrusions paved the way for the deployment of a malware loader called Spyder Loader, which first came to light in March 2021.

"[Spyder] is being used for targeted attacks on information storage systems, collecting information about corrupted devices, executing mischievous payloads, coordinating script execution, and C&C server communication," the SonicWall Capture Labs Threat Research Team noted.

Besides the Spyder malware, the malicious actors behind the campaign also deployed other post-exploitation tools, such as Mimikatz and a trojanized zlib library module that's capable of receiving commands from a remote server or loading an arbitrary payload.

Symantec said that the motives of the campaign are suspected to be linked to Chinese-backed, intelligence gathering campaign.

"The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed in that time, indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time," Symantec said.

In a separate report, Winnti itself is also found targeting Sri Lankan government entities.

It was Malwarebytes that uncovered the attacks targeting those in Sri Lanka in early August 2022, in which the attackers deployed backdoor referred to as DBoxAgent that leverages Dropbox for command-and-control.

"To our knowledge, Winnti (a China-backed APT) is targeting Sri Lanka for the first time," the Malwarebytes Threat Intelligence team said.

[block:block=87]

Cuckoobees

Because the backdoor essentially allow the attackers to enter and exit the system unnoticed, it also allowed them to infiltrate deeper into the system.

This is done by deploying even more malware tools for data exfiltration, including activating a multi-stage infection sequence that culminates in the use of an advanced C++ backdoor named KEYPLUG.

The ultimate goal of the intrusions, the researchers said, is to siphon proprietary information, research documents, source code, and blueprints for various technologies.

"Winnti remains active and its arsenal keeps growing as one of the most sophisticated groups nowadays," the cybersecurity firm said. "Sri Lanka's location in South Asia is strategic for China as it has open access to the Indian Ocean and is close to India."

"Winnti is one of the most industrious groups operating on behalf of Chinese state-aligned interests," Cybereason added. "The threat [actor] employed an elaborate, multi-stage infection chain that was critical to enabling the group to remain undetected for so long."

"The group's intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors," said Secureworks, explaining the threat profile of the actor.