Cybereason uncovers Global Chinese espionage campaign

Cybereason, the XDR company, has published new research on Operation CuckooBees, a 12 month investigation into Winnti Group’s (APT 41) global cyber espionage campaign targeting manufacturers across North America, Europe and Asia in the Defense, Energy, Aerospace, Biotech and Pharma industries.During its investigation, Cybereason discovered that Winnti conducted Operation CuckooBees undetected since at least 2019, likely siphoning thousands of gigabytes of intellectual property and sensitive proprietary data from dozens of companies. Cybereason published two reports, the first examining the tactics and techniques of the overall campaign, and the second providing a detailed analysis of the malware and exploits used.

“Operation Cuckoo Bees research is the culmination of a 12-month investigation that highlights the intricate and extensive efforts of the Chinese state-sponsored Winnti Group (APT 41) to abscond with proprietary information from dozens of global Defense, Energy, Biotech, Aerospace and Pharmaceutical companies. The most alarming revelation is that the companies weren’t aware they were breached, going some as far back as at least 2019, giving Winnti free unfiltered access to intellectual property, blueprints, sensitive diagrams and other proprietary data,” said Lior Div, Cybereason CEO and Co-founder.

Operation CuckooBees Key Findings:

• Attribution to the Winnti APT Group: based on the analysis of the forensic artifacts, Cybereason estimates with medium-high confidence that the perpetrators of the attack are linked to the notorious Winnti APT group. This group has existed since at least 2010 and is believed to be operating on behalf of Chinese state interests and specializes in cyberespionage and intellectual property theft.
• Multi-Year Cyber Espionage Intrusions: The Cybereason IR team investigated a sophisticated and elusive cyber espionage operation that has remained undetected since at least 2019 with the goal of stealing sensitive proprietary information from technology and manufacturing companies mainly in East Asia, Western Europe, and North America.
• Newly Discovered Malware and Multi-Stage Infection Chain: The research examines both known and previously undocumented Winnti malware, which included digitally signed, kernel-level rootkits as well as an elaborate multi-stage infection chain that enabled the operation to remain undetected since at least 2019.
• The Winnti Playbook: This research offers a unique glimpse into the Winnti intrusion playbook, detailing the most frequently used tactics, as well as some lesser-known evasive techniques that were observed during the investigation.
• Discovery of New Malware in the Winnti Arsenal: The reports expose a previously undocumented malware strain called DEPLOYLOG used by the Winnti APT group, and highlights new versions of known Winnti malware, including Spyder Loader, PRIVATELOG, and WINNKIT.
• Rarely Seen Abuse of the Windows CLFS Feature: The attackers leveraged the Windows CLFS mechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade detection by traditional security products.
• Intricate and Interdependent Payload Delivery: The reports include an analysis of the complex infection chain that led to the deployment of the WINNKIT rootkit composed of multiple interdependent components. The attackers implemented a delicate “house of cards” approach, meaning that each component depends on the others to execute properly, making it very difficult to analyze each component separately.

“The security vulnerabilities that are most commonly found in attacks such as Operation Cuckoo Bees are unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts and no use of multi-factor authentications products. While these vulnerabilities may sound trivial and easy to fix, day-to-day security is complex and it’s not always easy to implement mitigations at a grand scale. Defenders should follow MITRE and/or similar frameworks in order to make sure that they have the right visibility, detection and remediation capabilities in place to protect their most critical assets,” added Div.