Operation CuckooBees cyber espionage attack reveals massive Chinese IP theft campaign across tech, manufacturing sites

Extended detection and response (XDR) vendor Cybereason released Wednesday new research on Operation CuckooBees, a 12-month investigation into Winnti Group’s (APT 41) global cyber espionage campaign, marking the cyberattack as ‘one of the largest IP theft campaigns of its kind coming from China.’ The hackers have operated with the goal of stealing sensitive proprietary information from technology and manufacturing companies mainly in East Asia, Western Europe, and North America in the defense, energy, aerospace, biotech, and pharma industries. 

Cybereason has also briefed the U.S. Federal Bureau of Investigation (FBI) and Department of Justice (DOJ) on the investigation into the malicious campaign, which the researchers dubbed Operation CuckooBees. The research has been published in two reports – the first examines the tactics and techniques of the overall campaign, and the second provides a detailed analysis of the malware and exploits used.

“Operation Cuckoo Bees research is the culmination of a 12 month investigation that highlights the intricate and extensive efforts of the Chinese state-sponsored Winnti Group  (APT 41) to abscond with proprietary information from dozens of global organizations,” Lior Div, CEO and co-founder at Cybereason, said in a media statement. “The most alarming revelation is that the companies weren’t aware they were breached, going some as far back as at least 2019, giving Winnti free unfiltered access to intellectual property, blueprints, sensitive diagrams and other proprietary data,” he added.

Div also identified that the security vulnerabilities most commonly found in campaigns such as Operation CuckooBees are exploited because of unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts, and lacking multi-factor authentication products. 

“Although these vulnerabilities may seem be easy to fix, day-to-day security is complex and it’s not always easy to implement mitigations at a grand scale,” according to Div. “Defenders should follow MITRE and/or similar frameworks in order to make sure that they have the right visibility, detection and remediation capabilities in place to protect their most critical assets,” he added.

With years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group managed to exfiltrate hundreds of gigabytes of information, Cybereason said. The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data. Additionally, the attackers collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data. 

Cybereason researchers attribute the intrusions and Operation CuckooBees with a moderate-to-high degree of confidence to the Winnti APT group. “Winnti, also known as APT 41, BARIUM, and Blackfly, is a Chinese state-sponsored APT group known for its stealth, sophistication, and focus on stealing technology secrets,” they added.

During its investigation, “Cybereason discovered that Winnti conducted Operation CuckooBees undetected since at least 2019, likely siphoning thousands of gigabytes of intellectual property and sensitive proprietary data from dozens of companies.” 

Cybereason assesses with moderate-to-high confidence that the hackers behind the set of intrusions are the Winnti Group, known for its stealth, sophistication, and a focus on stealing technology, they added. The research also provided a unique glimpse into the Winnti intrusion playbook, detailing the most frequently used tactics, as well as some lesser-known evasive techniques that were observed during the investigation.

The attackers’ initial foothold in the organization originated from multiple vulnerabilities in the organizational ERP (enterprise resource planning) platform, according to Cybereason researchers. “From there, the attackers installed persistence in the form of a WebShell and began conducting reconnaissance and credential dumping, enabling them to move laterally in the network. Ultimately, it allowed the attackers to steal highly sensitive information from critical servers and endpoints belonging to high-profile stakeholders,” they added. 

Analysis of the data available to Cybereason suggests that the goal of the operation was focused on cyber-espionage with the aim of stealing proprietary information, R&D documents, source code, and blueprints for various technologies. “The attackers managed to go undetected for years by using stealthy techniques combined with state-of-the-art attack and espionage tools which included advanced rootkits,” the researchers added.

The Cybereason research also exposed a previously undocumented malware strain called ‘DEPLOYLOG’ used by the Winnti APT group and highlights new versions of known Winnti malware, including Spyder Loader, PRIVATELOG, and WINNKIT. Additionally, the attackers leveraged the Windows CLFS mechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade detection by traditional security products. 

The CLFS (Common Log File System) is a logging framework that was first introduced by Microsoft in Windows Server 2003 R2 and included in later Windows operating systems. The mechanism provides a high-performance logging system for a variety of purposes ranging from simple error logs to transactional systems and data stream collection. “The Winnti group used this mechanism to store and hide the payload that will be extracted from the CLFS file and used by other PEs in the execution chain to build the attacker’s next steps,” the researchers identified.

Cybereason researchers also zeroed in on an intricate and interdependent payload delivery. “Reports include an analysis of the complex infection chain that led to the deployment of the WINNKIT rootkit composed of multiple interdependent components. The attackers implemented a delicate ‘house of cards’ approach, meaning that each component depends on the others to function properly, making it very difficult to analyze each component separately,” they added.

The final payload deployed by Winnti is also the most evasive and sophisticated with a driver acting as a rootkit, dubbed WINNKIT, the researchers said. “WINNKIT’s previous version was researched in the past, and its purpose is to act as a kernel-mode agent, interacting with the user-mode agent and intercepting TCP/IP requests, by talking directly to the network card,” they added.

“Our analysis provides a unique and holistic view of Winnti operational aspects, capabilities and modus operandi,” Cybereason researchers said. “While some of the tools mentioned in the research were previously reported on, some tools such as DEPLOYLOG were previously undocumented and first analyzed in this report. In addition, our analysis provides further insights regarding some of the known Winnti tools,” they added.

Furthermore, the rare abuse of the Windows’ own CLFS logging system and NTFS manipulations provided the attackers with extra stealth and the ability to remain undetected for years, the researchers added.

“This is not surprising given both the history and the growing trend we are seeing involving data exfiltration to China,” Darren Williams, CEO and founder at BlackFog, wrote in an emailed statement. “BlackFog’s latest research found that 20% of all ransomware attacks exfiltrate data to China. This has been a growing trend over the last year and have seen renewed efforts focused specifically around espionage,” he added. 

This also correlates with BlackFog’s April report that saw a dramatic rise in attacks on technology, manufacturing, and government, with increases of 25%, 20%, and 40% respectively, according to Williams.

Earlier this week, SentinelLabs researchers said that they were tracking the activity of a Chinese-aligned cyber espionage hacker group operating in Central Asia, dubbed ‘Moshen Dragon,’ targeting the telecommunication sector. The hackers have systematically utilized software distributed by security vendors to sideload ShadowPad and PlugX variants. Some of the activity partially overlaps with threat groups tracked by other vendors, such as RedFoxtrot and Nomad Panda.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.