Chinese APT group Cicada targets government organizations, NGOs in espionage activity

A Chinese state-backed advanced persistent threat (APT) group, Cicada is attacking organizations around the globe in a likely espionage campaign that has been ongoing for several months, the Symantec Threat Hunter team revealed on Tuesday. Victims in the Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) across countries around the world, including in Europe, Asia, and North America.

“The attribution of this activity to Cicada is based on the presence on victim networks of a custom loader and custom malware that are believed to be exclusively used by the APT group,” the researchers wrote in a company blog post on Tuesday. “While Cicada has been linked to espionage-style operations dating back to 2009, the earliest activity in this current campaign occurred in mid-2021, with the most recent activity seen in February 2022, so this is a long-running attack campaign that may still be ongoing, researchers from Symantec, a division of Broadcom, have found,” they added.

Symantec said that the victims in the campaign appear to primarily be government-related institutions or NGOs, with some of these NGOs working in the fields of education and religion. There were also victims in the telecoms, legal, and pharmaceutical sectors. The victims are spread through a range of regions including the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. There is also just one victim in Japan, which is notable due to Cicada’s previous strong focus on Japanese-linked companies, it added.

The attackers spent as long as nine months on the networks of some victims, the researchers revealed. The victims targeted, the various tools deployed in this campaign, and what we know of Cicada’s past activity all indicate that the most likely goal of this campaign is espionage. Cicada activity was linked by U.S. government officials to the Chinese government in 2018, they added.

The wide number of sectors and geographies of the organizations targeted in the campaign is interesting, the researchers said. “Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies, though in more recent times it has been linked to attacks on managed service providers (MSPs) with a more global footprint. However, this campaign does appear to indicate a further widening of Cicada’s targeting,” they added.

“This is a long-running campaign from a sophisticated and experienced nation-state backed actor that may still be ongoing, as the most recent activity we saw in this campaign was in February 2022,” the Symantec researchers said. “The targeting of multiple large organizations in different geographies at the same time would require a lot of resources and skills that are generally only seen in nation-state backed groups, and shows that Cicada still has a lot of firepower behind it when it comes to its cyber activities,” they added.

Symantec revealed that, in several cases, the initial activity on victim networks is seen on Microsoft Exchange Servers, suggesting the possibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.

“Once the attackers have successfully gained access to victim machines we observe them deploying various different tools, including a custom loader and the Sodamaster backdoor. The loader deployed in this campaign was also deployed in a previous Cicada attack,” they added.

Sodamaster is a known Cicada tool that is believed to be exclusively used by this group, Symantec said. It is a ‘fileless malware’ that is capable of multiple functions, including evading detection in a sandbox by checking for a registry key or delaying execution; enumerating the username, hostname, and operating system of targeted systems; searching for running processes, and downloading and executing additional payloads. It is also capable of obfuscating and encrypting traffic that it sends back to its command-and-control (C&C) server. It is a powerful backdoor that Cicada has been using since at least 2020.

“In this campaign, the attackers are also seen dumping credentials, including by using a custom Mimikatz loader. This version of Mimikatz drops mimilib.dll to obtain credentials in plain text for any user that is accessing the compromised host and provides persistence across reboots,” according to Symantec. The attackers also exploit the legitimate VLC Media Player by launching a custom loader via the VLC Exports function, using the WinVNC tool for remote control of victim machines, it added.

Other tools utilized in this attack campaign include the RAR archiving tool that can be used to compress, encrypt, or archive files, likely for exfiltration, and system/network discovery which provides a way for attackers to determine what systems or services are connected to an infected machine. In addition, the WMIExec is a Microsoft command-line tool that can be used to execute commands on remote computers, and NBTScan, an open-source tool that has been observed being used by APT groups to conduct internal reconnaissance within a compromised network.

Last month, a highly-sophisticated espionage tool named Daxin was identified by the Symantec team as being used by China-linked hackers against select governments and other critical infrastructure targets. Affected targets of Daxin deployments have included government organizations and entities in the telecommunications, transportation, and manufacturing sectors.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.