Chinese State-Sponsored Hackers Stole US Intellectual Property Unnoticed Since 2019

chinese hackers stole us intellectual property unnoticed news
Last month, we reported on a Chinese state-sponsored hacking group known as “Cicada” that was exploiting VLC Media Player to attack governments and infrastructure. According to security researchers, the hackers were able to access some victimized networks for as long as nine months before being discovered. Now security researchers have discovered a different Chinese malware campaign that has gone undetected since 2019.

Researchers at Cybereason recently informed the US Federal Bureau of Investigation (FBI) and Department of Justice (DOJ) about a malicious campaign to steal intellectual property from North American, European, and East Asian technology and manufacturing companies. According to Cybereason, this ongoing intellectual property theft operation can be attributed to a Chinese state-sponsored hacking group dubbed “Winnti.” The group is also known as advanced persistent threat (APT) 41, BARIUM, and Blackfly. The researchers named this cyber espionage campaign “Operation CuckooBees.”

chinese hackers stole us intellectual property unnoticed kill chain news
Cybereason’s map of Operation CuckoBees’ structure of attack

Cybereason says that Operation CuckoBees dates back to at least 2019, giving the hackers years to compromise vulnerable targets, conduct reconnaissance, identify valuable data, and exfiltrate said data. The hacking group was able to steal hundreds of gigabytes of sensitive documents, blueprints, diagrams, formulas, manufacturing-related proprietary data, and more. According to Cybereason, Winnti also “collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data.”

Operation CuckoBees took the form of a sophisticated multi-stage attack that hid from traditional antivirus software by abusing Windows Common Log File System (CLFS) and manipulating NTFS transactions (NFTS being Microsoft’s file system). CFLS log files can’t be viewed by antivirus software or users, meaning the attackers could gain a foothold in a virtually unnoticeable manner. The hackers also avoided detection of suspicious activity during reconnaissance by using common Windows commands like “ipconfig,” “systeminfo,” and “ping.” Once the hackers identified valuable data, they were able to exfiltrate it with a portable command-line WinRAR app signed with a valid digital signature.

Cybereason has published multiple reports detailing the tactics, techniques, malware, and exploits used by Winnti in Operation CuckoBees.