These sneaky hackers hid in their victims’ networks for nine months

A hacking and cyber espionage operation pursues victims around the world in an extensive campaign designed to spy on targets and steal information.

Identified victims of cyberattacks include government organizations, legal organizations, religious groups, non-governmental organizations (NGOs), the pharmaceutical industry and telecommunications. Several countries have been targeted, including the United States, Canada, Hong Kong, Japan, Turkey, Israel, India, Montenegro and Italy.

Detailed by cybersecurity researchers at Symantec, the campaign is the work of a group they call Cicada – also known as APT10 – a state-sponsored offensive hacking group that Western intelligence agencies have linked to the Chinese Ministry of State Security. In some cases, abusers have spent up to nine months in victim networks.

APT10 has been active for over a decade, with the first evidence of this latest campaign appearing in mid-2021. The most recent activity that has been detailed took place in February 2022 and researchers warn that the campaign may still be ongoing.

In several of the detected campaigns, evidence of initial activity on compromised networks was observed on Microsoft Exchange servers, suggesting the possibility that the intrusions began with attackers exploiting unpatched vulnerabilities in Microsoft Exchange that were disclosed at beginning of 2021.

TO SEE: A winning strategy for cybersecurity (ZDNet special report)

Once attackers gain initial access, they use a variety of tools, including Sodamaster, a fileless malware that provides a backdoor on machines, as well as a custom loader to drop additional payloads. Both forms of malware have been used in previous campaigns by APT10.

The malware is able to evade detection and it also obfuscates and encrypts all information that is sent back to the command and control servers operated by the attackers. In addition to custom tools, campaigns also use publicly available tools to scan systems and execute commands.

The targeted victims, as well as the tools deployed and the background of the alleged culprit behind the attacks led researchers to conclude that the most likely goal of the campaign is information theft and intelligence gathering.

“The types of organizations targeted – non-profit organizations and government organizations, including those involved in religious and educational activities – are most likely to interest the group for espionage purposes,” he told ZDNet Brigid O Gorman, Senior Intelligence Developer on Symantec’s Threat Hunter Team. .

The United States Department of Justice has previously indicted alleged APT10 members for campaigns to hack computer networks and steal information.

The widespread targeting of several large organizations around the world suggests that the hacking operation has significant resources and researchers suggest that Cicada is still a cybersecurity threat to computer networks considered attractive to attackers.

Defending against a well-resourced, nation-state-backed hacking group is not easy, but there are steps network defenders can take to avoid falling victim to an attack. These include patching known vulnerabilities – such as those in Microsoft Exchange that Cicada appears to have exploited – and hardening credentials through the use of multi-factor authentication.

The researchers also recommend the introduction of unique credentials for administrative work to help prevent the theft and misuse of administrator logins and that cybersecurity teams should continuously monitor the network for detection. any potentially suspicious activity.



Leave a Reply

Your email address will not be published.

Back to top