December 10, 2024 at 06:54AM
A cyber espionage group linked to China has targeted IT service providers in Southern Europe, utilizing Microsoft Visual Studio Code Remote Tunnels for command and control. Detected between June and July 2024, the attacks aimed to establish footholds for future data breaches, leveraging legitimate tools to evade detection, highlighted by the use of custom Mimikatz.
### Meeting Takeaways on Cyber Espionage Group and Operation Digital Eye
1. **Incident Overview**: A suspected China-linked cyber espionage group has been implicated in attacks on large IT service providers in Southern Europe, identified in a report as Operation Digital Eye. The attacks occurred from late June to mid-July 2024.
2. **Attack Prevention**: Cybersecurity firms, SentinelOne SentinelLabs and Tinexta Cyber, reported that these intrusions were detected and neutralized before data exfiltration could occur.
3. **Methodology**:
– The attackers exploited Microsoft Visual Studio Code and Azure infrastructure for command-and-control (C2) operations, aiming to disguise their malicious activities.
– Initial access was gained through SQL injection attacks using a tool called SQLmap, followed by deploying a PHP-based web shell known as PHPsert for persistent access.
4. **Tools and Techniques**:
– The attackers employed techniques like Remote Desktop Protocol (RDP) and customized versions of Mimikatz for credential theft (pass-the-hash attacks).
– Custom tools show significant code overlaps with those used in previous Chinese espionage incidents, indicating a shared source or common maintenance team.
5. **Infrastructure and Behavior**:
– The investigation noted the use of GitHub accounts for accessing Visual Studio Code Remote Tunnels and connecting to compromised endpoints.
– Attackers operated primarily during China’s working hours (9 a.m. to 9 p.m. CST).
6. **Strategic Implications**: The targeting of entities that provide essential services highlights a strategic approach to gain footholds in digital supply chains, enabling further reach into downstream sectors.
7. **Potential Indicators of Attribution to China**:
– Simplified Chinese comments found within PHPsert.
– Involvement of Romanian hosting services linked to the attacks.
– Historical connections to the Mustang Panda actor, known for similar methods.
8. **Key Takeaway**: The campaign illustrates the evolving tactics of Chinese APT groups, who utilize legitimate development tools and infrastructure for their operations to evade detection effectively.
### Next Steps
– Continue monitoring for updates and developments related to Operation Digital Eye and the actors involved.
– Explore potential security measures to mitigate similar threats and enhance defenses against such sophisticated attacks.