Chinese Hackers Breach US Firm, Maintain Network Access for Months – Source:hackread.com

SUMMARY

• Network Access: Chinese hackers maintained access to a major U.S. company’s network for at least four months, likely stealing sensitive information, including emails.

• Techniques Used: Hackers employed DLL sideloading, exploited Google and Apple software, and used tools like Impacket and FileZilla to move within the network.

• Targeted Data: The attackers focused on Exchange Servers and email data, indicating a strategic intelligence-gathering operation.

• Attribution to Daggerfly: Symantec linked the attack to Chinese state-sponsored groups Daggerfly and Crimson Palace, known for sophisticated cyber-espionage.
• Expert Insight: Cybersecurity expert Stephen Kowski highlights the sophistication and dangers of long-term network breaches and emphasises the need for stronger email security and monitoring.

A large U.S. company with operations in China fell victim to a large-scale cyberattack earlier this year, according to cybersecurity firm Symantec. The attack believed to be the work of Chinese hackers, allowed the attackers to maintain access to the company’s network for at least four months, likely gathering sensitive information.

This follows October 2024’s report in which it was revealed that China’s Salt Typhoon hacking group targeted and successfully compromised AT&T, Verizon, and Lumen, compromising wiretap systems used in criminal investigations.

Symantec’s findings indicates the hackers were active from April 11, 2024, until August, though the initial breach may have happened even earlier. During this time, hackers moved through the company’s network, gaining access to multiple computers, including Exchange Servers.

This suggests a primary goal of stealing email data for intelligence-gathering purposes. According to Symantec’s blog post, hackers employed a mix of legitimate applications and open-source tools to carry out their attacks.

From DLL-sideloading, a technique where malicious code is loaded with legitimate applications, to the exploitation of Google and Apple software were carried out for this purpose. Additionally, threat actors utilized Impacket, a Python-based toolkit for network protocol manipulation, and FileZilla, an FTP client, among others.

Links to Chinese APT Groups

Although the organization’s name is still unknown, Symantec believes that the group behind the attack is closely linked to the Chinese state-sponsored group Daggerfly (Daggerfly (also known as BRONZE HIGHLAND StormCloud, and Evasive Panda) and Crimson Palace.

This claim is based on the group’s repeated use of DLL sideloading in past attacks. Daggerfly is well-known for using this technique. Moreover, one of the malicious files found on a compromised system was textinputhost.dat, which has also been associated with another Chinese group, Crimson Palace. This group recently made news for targeting South Asian governments and stealing sensitive military secrets.

Stephen Kowski, a cybersecurity expert at SlashNext, told Hackread.com that this attack is part of a worrying trend. Hackers are using increasingly sophisticated methods to gain long-term access to company networks, he said.

“The focus on Exchange servers and email harvesting suggests a strategic intelligence-gathering operation,” Kowski added. He emphasized the need for strong email security and continuous monitoring to detect these kinds of attacks.

1. GLASSBRIDGE: Google Blocks Pro-China Fake News Sites
2. China’s insidious surveillance against Uyghurs with Android malware
3. Muddling Meerkat Suspected of Espionage via Great Firewall of China
4. Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage
5. Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff