Our Privacy Statement & Cookie Policy

By continuing to browse our site you agree to our use of cookies, revised Privacy Policy and Terms of Use. You can change your cookie settings through your browser.

I agree

China releases report on U.S. cyberattacks targeting a tech enterprise

CGTN

VCG
VCG

VCG

On December 18, 2024, China's National Computer Network Emergency Response Technical Team (CNCERT) issued a notice regarding the discovery and handling of two cyberattacks by the United States targeting a major Chinese technology enterprise.

CNCERT released a report on Friday regarding the attacks. Here are the details:

I. Cyberattack process

1. Exploiting vulnerabilities for intrusion

On August 19, 2024, attackers exploited a vulnerability in the enterprise's electronic document management system to gain unauthorized access and steal the system administrator's account/password information. On August 21, 2024, the attackers used the stolen administrator credentials to log into the backend of the compromised system.

2. Software upgrade management server compromised with backdoor and Trojan programs

At 12 p.m. on August 21, 2024, the attackers deployed a backdoor program and a customized Trojan program on the electronic document management system to collect stolen data. To evade detection, these malicious programs were only active in memory and were not stored on the hard disk. The Trojan program was used to receive sensitive files stolen from compromised personal computers within the affected organization, with the access path being /xxx/xxxx?flag=syn_user_policy. The backdoor program was used to aggregate and transmit the stolen sensitive files overseas, with the access path /xxx/xxxStats.

3. Trojan infections spread to personal computers

On November 6, 8 and 16, 2024, the attackers exploited a software upgrade function of the electronic document server to implant special Trojan programs into 276 personal computers of the enterprise. The main functions of the Trojan programs were to scan the infected machines for sensitive files to steal and steal login credentials and other personal information. The Trojan programs were designed to be deleted immediately after use.

II. Massive theft of trade secrets

1. Comprehensive scanning of victim enterprise's host machines

The attackers repeatedly logged into the software upgrade management server through IP proxies based in China and used this server to infiltrate the internal network of the victim enterprise. They performed full disk scans on the internal network hosts of the enterprise, identifying potential targets and gathering information about the enterprise's work content.

2. Targeted and specific theft

From November 6 to 16, 2024, the attackers used three different proxy IP addresses to infiltrate the software upgrade management server and implant Trojans onto personal computers. These Trojans were preprogrammed with specific keywords highly relevant to the enterprise's work. Once files containing these keywords were found, the corresponding files were stolen and transmitted overseas. The three instances of espionage involved different sets of keywords, indicating that the attackers had carefully prepared before each attack, showing a high level of specificity. A total of 4.98 GB of critical commercial information and intellectual property files were stolen during these three espionage incidents.

III. Characteristics of the attacks

1. Attack timing

Analysis shows that the majority of the attacks occurred between 10 p.m. and 8 a.m. Beijing Time, which corresponds to 10 a.m. to 8 p.m. Eastern Standard Time in the U.S. The attacks primarily took place Monday through Friday and did not occur during major U.S. holidays.

2. Attack resources

The five proxy IP addresses used by the attackers were all located in Germany, Romania and other regions, reflecting a high level of awareness of counter-forensics and a rich reserve of attack resources.

3. Attack tools

The attackers skillfully used open-source or generic tools to disguise their activities and avoid detection. The backdoor program found on the compromised servers was a widely used open-source backdoor tool.

The critical backdoor and Trojan programs operated solely in memory and were not stored on the hard drive, greatly increasing the difficulty of detecting the attack during analysis.

4. Attack techniques

After compromising the electronic document management system, the attackers tampered with the system's client distribution program. Through the software client upgrade function, they delivered Trojan programs to 276 personal computers, enabling rapid and targeted attacks on key users and facilitating large-scale information collection and theft. These techniques demonstrate the formidable capabilities of the attacking organization.

IV. Partial list of proxy IPs

via CMG
via CMG

via CMG

The list shows the proxy IPs from the Netherlands, Romania and Germany.

Search Trends