Chinese APT group found stealing data for three years through old Windows flaw

A US-headquartered cyber security company called Cybereason has revealed details of the Chinese Advanced Persistent Threat (APT) group called Winnti, which siphoned off a huge amount of corporate data and intellectual property using a flaw in Microsoft's Windows operating system, which was first found in 2020.

An APT group is a silent threat actor, sometimes a nation-state or state-sponsored group, which sneaks into computer networks and remains undetected for a prolonged period.

Dubbed as 'Operations CuckooBees' by Cybereason, the campaign operated undetected from 2019 to 2021 and targeted technology and manufacturing companies, situated mainly in East Asia, Western Europe, and North America. The campaign “abuses” Windows mechanisms in a “rarely seen” manner, the security researchers said.

According to Cybereason, the attackers used the Windows CLFS (common log files system) mechanism and NTFS (New Technology File System) transaction manipulations, which let them hide their payloads and evade detection by traditional security products.

“With years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group managed to exfiltrate hundreds of gigabytes of information,” said Cybereason in a blogpost. “The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.”

“This group has existed since at least 2010 and is believed to be operating on behalf of Chinese state interests and specialises in cyberespionage and intellectual property theft,” said Cybereason.

Winnti also known as APT41, BARIUM, or Blackfly leverages a huge amount of malware and tools for its cyberespionage. The group has been linked to attacks against software vendors, video game developers and Universities in Hong Kong.

In March, 2021, Winnti also exploited the Microsoft Exchange Server ProxyLogon vulnerabilities, with other APTs, when the critical flaws were first made public. The tech giant seemed to have learned about the flaw in its exchange email software sometimes from early January to early February. Taiwan based cyber-research firm called DEVCORE first warned Microsoft on January 5, 2021, it said.

In 2013, Kaspersky stated in a report that “The first incident that drew attention to the Winnti group’s malicious activities occurred in the autumn of 2011, when a malicious Trojan was detected on a large number of end-user computers across the globe. The clear link between all of the infected computers is that they were used to play a popular online game.”

The report further mentioned that shortly after the incident, details emerged that the malicious program which had infected the users’ computers was part of a regular update from the gaming company’s official server.

Infected users of the gaming community doubted the computer game publisher was installing the malware to spy on its customers. “However, it later became clear that the malicious program was installed on the players’ computers by accident, and that the cybercriminals were actually targeting the computer game company itself,” it noted.

While the investigations are doing rounds into the Winnti campaign, Cybereason has been able to provide only partial indicators of compromise.

“Perhaps one of the most interesting things to notice is the elaborate and multi-phased infection chain Winnti employed. The malware authors chose to break the infection chain into multiple interdependent phases, where each phase relies on the previous one to execute correctly,” the researchers at Cybereason said.

“This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyse unless all pieces of the puzzle are assembled in the correct order.”