China-linked APT Caught Pilfering Treasure Trove of IP

china hack APT41

A state-sponsored threat actor designed a house-of-cards style infection chain to exfiltrate massive troves of highly sensitive data.

Researchers from Cybereason’s Nocturnus Team have uncovered a massive, highly successful, three-year-long campaign of intellectual property theft.

The perpetrators were likely able to siphon hundreds of gigabytes worth of “sensitive proprietary information from technology and manufacturing companies mainly in East Asia, Western Europe, and North America,” according to the report released Wednesday.

The theft remained completely under the radar from law enforcement. They pulled it off by combining an “arsenal” of malware – including a brand new strain called DEPLOYLOG – into a complex infection chain.

Infosec Insiders NewsletterThe researchers attributed the campaign, with “moderate-to-high confidence,” to the Winnti group (aka APT 41, BARIUM,  or Blackfly). Winnti is “an exceptionally capable adversary” that is “believed to be operating on behalf of Chinese state interests and specializes in cyberespionage and intellectual property theft.”

A Highly Successful Heist

Researchers believe the campaign has been ongoing, traced back to 2019.

They said the Winnti began their attacks by exploiting a popular enterprise resource planning (ERP) platform used by their targets. With this foothold they installed web shells – to establish persistence – then began their reconnaissance and credential theft. With a map of the network and privileged credentials, they could move laterally to access sensitive stores of data. All of these are common strategies used by APTs around the world every day.

What distinguished Winnti’s attacks was in the details.

For one thing, they leveraged multiple vulnerabilities in that undisclosed ERP platform. Some of the vulnerabilities were publicly known, but some were zero-days.

The infection chain they crafted from there is of particular note. The researchers called it a “house of cards” – “a sophisticated and unique multi-staged infection chain with numerous payloads. Each payload fulfills a unique role in the infection chain, which is successful only upon the complete deployment of all of the payloads.”

As an example, one of these cards is DEPLOYLOG: a previously undocumented malware strain. First it’s introduced to the host machine by another module, PRIVATELOG. Then, in turn, it drops a rootkit – WINNKIT – and opens up a line of communication between the rootkit and Winnti’s command and control servers.

WINNKIT, ultimately, is what’s most important here. “A driver acting as a rootkit,” it contains a host of useful tools for transferring data from a host machine, modifying files, killing processes and much more. And despite being known to cyber analysts, the researchers noted, it possesses a near-zero detection rate in VirusTotal.

As we can see, each stage of this chain was sophisticated in and of itself. But it was their house of cards-style arrangement that made this campaign “almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order.”

Stolen Data Costly and Dangerous

Winnti primarily went after American, European, and Asian technology companies and manufacturers. They went for intellectual property “including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data,” according to the report.

It’s clear that the haul was massive, and it’s partly for that reason that the researchers couldn’t determine the exact number of organizations affected, and the precise financial impact incurred by them.

The other reason why they couldn’t gauge the combined cost is that many costs may be yet to come. Beyond commercial IP, “the attackers collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails and customer data.”

To avoid further Winnti attacks in years to come, targeted organizations will need to update all those employee credentials, adjust that architecture, and root out any potential backdoors. If even one hole is left over, they’ll remain vulnerable.

Aging APT Still Packs a Punch

Winnti is one of the oldest APTs still in business, with malicious campaigns dating back a dozen years already.

In their early years they primarily targeted gaming companies in Southeast Asia, stealing in-game currencies and then flipping them for real life profits.

Notorious for their “stealth, sophistication, and focus on stealing technology secrets,” the APT has been known to compromise digital certificates – the electronic documents meant to ensure authenticity between connected devices  – and deploy bootkits – which nuzzle into the innermost parts of a computer’s motherboard: the master boot record – to poison supply chains and even target specific individuals.

These were already advanced tactics, but their newest campaign is the groups most sophisticated to date.

Suggested articles