December 18, 2024—China’s National Computer Network Emergency Response Technical Team (CNCERT) has released a report accusing the United States of orchestrating cyberattacks against a major Chinese technology enterprise. The report details two significant breaches that allegedly resulted in the theft of sensitive commercial information and intellectual property.
Unveiling the Cyberattacks
According to the CNCERT report, the cyberattacks began on August 19, 2024, when attackers exploited a vulnerability in the enterprise’s electronic document management system. This breach allowed unauthorized access and led to the theft of system administrator credentials. Just two days later, on August 21, the attackers reportedly used these credentials to access the system’s backend, setting the stage for a more extensive intrusion.
Deployment of Hidden Malware
On the afternoon of August 21, the attackers allegedly installed a backdoor and a customized Trojan program within the document management system. These malicious programs operated solely in the system’s memory, leaving no trace on the hard drive and evading conventional detection methods. The Trojan was designed to receive sensitive files from compromised personal computers within the organization, while the backdoor aggregated and transmitted the stolen data overseas.
Spread to Personal Computers
In early November 2024, specifically on the 6th, 8th, and 16th, the attackers utilized the software upgrade function of the electronic document server to implant Trojan programs into 276 personal computers within the enterprise. These Trojans scanned the infected machines for sensitive files, login credentials, and other personal information. The programs were designed to self-delete after execution to avoid detection.
Massive Theft of Trade Secrets
Scanning and Data Gathering
The attackers reportedly conducted comprehensive scans of the enterprise’s internal network, identifying potential targets and gathering detailed information about the company’s operations. They repeatedly accessed the software upgrade management server through proxy IP addresses based in China to infiltrate the network.
Targeted Espionage
Between November 6 and 16, the attackers allegedly executed three separate espionage operations. Each attack involved implanting Trojans pre-programmed with specific keywords related to the enterprise’s work. When files containing these keywords were found, they were extracted and transmitted overseas. CNCERT reports that approximately 4.98 GB of critical commercial information and intellectual property were stolen during these incidents.
Characteristics of the Attacks
Timing and Execution
Analysis from CNCERT indicates that the majority of the attacks occurred between 10 p.m. and 8 a.m. Beijing Time, aligning with daytime hours in Eastern Standard Time in the United States. The attacks primarily took place on weekdays and did not occur during major U.S. holidays, suggesting coordination with U.S. working hours.
Advanced Techniques and Tools
The attackers employed sophisticated methods to avoid detection. They used five proxy IP addresses located in regions like Germany and Romania, demonstrating a high level of counter-forensics awareness. Open-source and generic tools were skillfully utilized to disguise their activities. Notably, the critical backdoor and Trojan programs operated solely in memory, which significantly increased the difficulty of detecting the intrusions.
Formidable Capabilities
By compromising the electronic document management system and tampering with the client distribution program, the attackers could rapidly deploy Trojans to numerous personal computers. This allowed for targeted attacks on key users and facilitated large-scale information theft. CNCERT highlighted these techniques as evidence of the attacking organization’s advanced capabilities.
Implications and Response
The report underscores serious concerns about cybersecurity and the protection of intellectual property. While CNCERT has not disclosed the name of the affected enterprise, the incident highlights the vulnerabilities that even major technology companies can face. There has been no immediate response from U.S. authorities regarding the allegations.
CNCERT continues to work on enhancing cybersecurity measures and urges enterprises to strengthen their defenses against such sophisticated attacks.
Reference(s):
China releases report on U.S. cyberattacks targeting a tech enterprise
cgtn.com
