The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools.
Researchers have uncovered a massive hacking campaign that’s using sophisticated tools and techniques to compromise the networks of companies around the world.
Attacks are linked to Cicada, a group believed to be funded by the Chinese state also carries the monikers of APT10, Stone Panda, and Cloud Hopper from other research organizations.
Symantec uses the code name Cicada for this group; it has been active in espionage-style hacking since at least 2009, targeting companies related to Japan almost exclusively. Although the companies targeted by this campaign are located in the United States and other countries, they all have connections with Japan and Japanese companies.
The group uses tools outside of the country for this attack campaign, as well as custom malware, including custom malware – including backdoor. Hartip – that Symantec has never used. Compromised computers at the time of the attack included domain controllers and file servers, and there is evidence that files are being filtered by some compromised computers. Attackers frequently used DLL side loading in this campaign and took advantage of the patched Zerologon vulnerability in August 2020.
How and Who discovered this campaign in the first place?
Symantec first addressed this campaign when suspicious DLL-side loading activity on one the customers networks triggered a warning from Cloud Analytics technology available in Symantec Endpoint Security Complete (SESC).
The campaign is spread across the world, with a large number of regions detected as the victims of the attack. The common link between all the organisations that were attacked were their links to japan or japan based organisations. In the map you can clearly see that there was a reportedly Chinese-government-linked group attacking companies within China’s borders but, like many of the companies targeted in this campaign, the target in that instance is a subsidiary of a Japanese organization.
Common Target groups for Hackers are industries dealing with automobile, clothing, Conglomerates, Electronics, Engineering, General Trading Companies, Government, Industrial Products, Managed Service Providers, Manufacturing, Pharmaceutical and Professional Services.
Japan linked organizations: be on the lookout
“Japan-linked organizations need to be on alert as it is clear they are a key target of this sophisticated and well-resourced group, with the automotive industry seemingly a key target in this attack campaign,” researchers from security firm Symantec wrote in a report. “However, with the wide range of industries targeted by these attacks, Japanese organizations in all sectors need to be aware that they are at risk of this kind of activity.”
Microsoft patched the critical privilege-escalation vulnerability in August, but since then attackers have been using it to compromise organizations that have yet to install the update. Both the FBI and Department of Homeland Security have urged that systems be patched immediately.
The machines compromised during the attacks discovered by Symantec were domain controllers and file servers. Company investigators also revealed evidence that was extracted from some rigged machines.