China's Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.
That's according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.
In addition, the attackers have harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports summarizing its investigation this week.
The security vendor said it has shared its findings with the FBI, which back in 2019 had warned of China-based cyberthreat groups engaged in the massive theft of intellectual property from US firms to support the country's "Made in China 2025" modernization initiative.
"Global manufacturers are targets of Chinese state-sponsored threat groups," says Assaf Dahan, senior director and head of threat research at Cybereason. "Our research highlights the importance of protecting Internet-facing assets, early detection of scanning activity and exploitation attempts, the ability to detect web shell activity, persistence, reconnaissance attempts by legitimate Windows tools, credential dumping, and lateral movement attempts."
Darren Williams, CEO, and founder at BlackFog, says the campaign that Cybereason observed highlights a recent trend involving data theft by cybergangs operating out of China. He says that new research that BlackFog recently conducted found that 20% of all ransomware attacks exfiltrate data to China. There's also been a dramatic rise in attacks targeting the technology, manufacturing, and government sectors, he says
“We think its related to the increasing pressure from multiple nations on the manufacturing industry generally and the shift in reliance from Chinese manufacturing," he says. "Then when you look at trade wars China has with countries like Australia, there is a general market shift happening. We think these attacks are in response and even retaliation for many of these moves.”
Winnti Stung by CuckooBees
Winnti (aka APT41, Wicked Panda, or Barium) is a threat group that has been active since at least 2010. The group is believed to be working on behalf of, or with the support of, the Chinese government. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China's state intelligence agencies. The group has been linked to attacks in 2010 on scores of US firms (including Google and Yahoo). And in 2020, the US government indicted five members of the threat group, although the action did little to stop its activities.
Researchers from Cybereason stumbled upon the threat group's latest campaign when investigating a 2021 intrusion at a $5 billion global manufacturing company with operations in Asia, North America, and Europe, Dahan says, and has been gathering evidence on the activity since then.
The researchers dubbed the investigation "Operation CuckooBees," because cuckoo bees are very evasive, and the Winnti group is one of the most elusive hacking groups, Dahan explains.
"Operation CuckooBees was a 12-month investigation focused on Winnti Group's global espionage campaign against defense, aerospace, energy, biotech, and pharmaceutical manufacturers," Dahan says.
New Tools, Rare Abuse of Windows CLFS Mechanism
Cybereason's investigation also revealed fresh aspects of the group's technical approach, including the development of new malware tools — or new versions of its old malware — and sophisticated new techniques for payload delivery and evasion.
The new tools include one called DeployLog, made for deploying the threat group's namesake Winnti kernel-level rootkit. New versions of tools it has used in the past include an initial payload called Spyder Loader; a privilege-escalation tool called PrivateLog; and a tool called StashLog for storing payloads in a hard-to-crack Windows function.
One notable aspect of Winnti group's new campaign, according to Cybereason, is the threat actor's use of a Windows high-performance logging feature called Common Log File System (CLFS) to hide malicious payloads.
"The CLFS mechanism is rather obscure and is still undocumented by Microsoft," Dahan notes. "The attackers used the CLFS mechanism to hide their payloads in a place most security products or practitioners wouldn’t look for." He adds that the ability to abuse the mechanism points to the level of sophistication and resources that the threat actors have at their disposal.
"It requires a lot of effort to reverse-engineer this mechanism to abuse it for nefarious purposes," he says.
Dahan says Cybereason has not observed any other threat group abuse the CLFS mechanism to stash payloads in the same manner.
The Evolving Winnti Attack Chain
In its latest campaign, Winnti group threat actors targeted vulnerable Internet-facing servers as a vector for gaining an initial foothold on a target network. In some instances, the attackers gained initial entry on systems by exploiting known vulnerabilities in enterprise resource planning (ERP) platforms.
"To the best of our knowledge, the vulnerabilities that were exploited in the observed attacks have fixes that were issued by the vendor," Dahan says.
Once in, Cybereason observed the attackers adopting what it described as a "house-of-cards" approach to deploying its malicious payloads, where each component of the attack chain depended on the previous one and the other components to function properly. This made it difficult to analyze each malware component in the attack chain separately.
"If for some reason, one component is missing or gets detected – the entire thing would fall apart," Dahan says.
The approach also added another layer of protection and stealth because each of the components in the attack chain is not entirely malicious on its own, and so would be unlikely to be flagged as malicious by security products, Dahan says. To become malicious, the components in the attack chain must be assembled in a certain order.
"The ‘house of cards’ approach makes it difficult for security researchers to analyze the payload and the flow of the attack," he explains. "You really have to see the entire attack and collect all the payloads and know how to run them in the exact order in which they were designed to run."