Researchers discovered a new attack campaign attributed to the Chinese-sponsored advanced persistent threat group known as Winnti. Based on reports, the recently discovered campaign remained undetected for several years.
The researchers called the campaign ‘Operation CuckooBees’, which leveraged a past undocumented malware and stole confidential trade data from several organisations worldwide.
An incident response team first discovered the attack in the early months of last year and revealed that before its discovery, the campaign was an ongoing attack that started at least in 2019.
The Winnti threat group showed how nimble the Chinese threat actors could be.
The group designed the cover attack of the Winnti threat called Operation CuckooBees to target numerous manufacturing and technology organisations across East Asia, Western Europe, and North America, especially the United States.
The threat actors had stolen considerable intellectual property, including blueprints of military technology, diagrams, manufacturing-related data, sensitive documents, and formulas. In addition, the APT group stole information regarding the targeted companies’ network architecture, business units, and credentials that they could utilise for subsequent attacks.
They also exfiltrated the organisations’ personnel details that impacted employee emails and customer data.
In a related issue, the report also revealed past undocumented malicious payloads that the Winnti group used in their past campaigns. The undocumented malware strains included a new DEPLOYLOG malware loader, new versions of the Spyder Loader, WINNKIT, and PRIVATELOG.
The researchers also noticed that these malware strains push the Windows Common Log File System (CLFS) functionality and NTFS transaction manipulation to bypass the detection of standard security solutions.
The researchers investigating the campaign have shared minimal mitigation techniques to counteract its threats. However, it is still insufficient to fend off the Chinese-sponsored threat actors.
The Windows CLFS mechanism became trouble for researchers to analyse since it is not a commonly used attack vector. The group also bypasses detection every time they target another organisation worldwide.
