“Operation Digital Eye,” a recent cyberattack targeting European IT organisations, has raised concerns over the growing threat of cyber espionage linked to China. The operation took place between late June and July, primarily focusing on business-to-business (B2B) service providers across southern Europe.
These included key cybersecurity vendors and data/infrastructure solution providers, which are critical to the region’s economy and technological infrastructure. The attackers behind the operation sought to infiltrate the supply chains of these companies, likely with the intention of stealing sensitive information or gaining strategic advantage.
The cybercriminals behind “Operation Digital Eye” used several clever tactics to conceal their malicious activities.
Rather than relying on traditional methods, the hackers masked their attacks behind legitimate Microsoft technologies, such as Visual Studio Code (VS Code) and Microsoft Azure. These commonly used tools made the attackers’ movements appear innocuous, allowing them to bypass security measures that might otherwise have detected unusual activity.
The operation began with SQL injection attacks targeting vulnerable web servers and database systems. From there, the attackers deployed PHP web shells, using filenames specifically crafted to avoid detection. Their approach also involved lateral movement within networks, the theft of user credentials, and further reconnaissance to expand their access.
The key element of the attack, however, was the use of a file called “code.exe,” which was digitally signed by Microsoft and executed as a Windows service. This file was a disguised version of VS Code, an open-source development environment widely used by both new and experienced developers. The attackers leveraged a feature of VS Code called Remote Tunnels, which is designed to allow developers to work on code remotely.
By using this feature, the attackers were able to maintain persistent access to infected systems, making it harder for victims to detect the intrusion. The attackers also took advantage of cloud infrastructure in Western Europe, further obscuring their traffic by making it appear more legitimate.
Attributing the attack to specific threat actors was complicated due to the sophisticated tools used. One of the key tools deployed, “bK2o.exe,” was a modified version of Mimikatz, an open-source tool often used in credential theft and pass-the-hash attacks. This tool has been seen in previous cyberattacks linked to Chinese state-backed groups, such as APT41 and APT10, making it difficult to pinpoint who was behind the operation.
The motivations behind “Operation Digital Eye” appear to align with China’s broader geopolitical strategy, particularly in southern Europe, a region crucial to China’s Belt and Road Initiative. This targeted area holds significant importance for global trade, energy flows, and military activities. By infiltrating critical industries such as energy, shipping, and aerospace, China aims to secure both economic advantages and greater political influence.
The operation highlights the growing sophistication of cyber espionage campaigns, with the aim of gaining access to sensitive information and undermining Western alliances.