🚨 On December 18, 2024, China's National Computer Network Emergency Response Technical Team (CNCERT) unveiled a detailed report on two sophisticated cyberattacks orchestrated by the United States targeting a leading Chinese technology enterprise. Let’s break down what happened:
I. The Cyberattack Journey
1. Exploiting Vulnerabilities for Intrusion
It all began on August 19, 2024, when attackers identified a vulnerability in the company's electronic document management system. By August 21, they had stolen the system administrator's credentials, granting them unauthorized access to the backend.
2. Compromising the Software Upgrade Management Server
At noon on August 21, the attackers deployed a backdoor and a customized Trojan program into the system. These malicious programs operated solely in memory, making them hard to detect. The Trojan was designed to collect sensitive files, while the backdoor transmitted the stolen data overseas.
3. Spreading Trojan Infections
Fast forward to November 2024, the attackers exploited the software upgrade feature to implant Trojans into 276 personal computers within the enterprise. These Trojans scanned for sensitive information and stolen credentials, deleting themselves immediately after use to cover their tracks.
II. Massive Theft of Trade Secrets
1. Comprehensive Scanning of Host Machines
The attackers conducted full disk scans on the enterprise's internal network, identifying valuable targets and gathering crucial information about the company's operations.
2. Targeted and Specific Theft
Between November 6 and 16, 2024, using three different proxy IP addresses, the attackers implanted Trojans programmed with specific keywords related to the company's work. This precision led to the theft of 4.98 GB of critical commercial information and intellectual property.
III. Characteristics of the Attacks
1. Attack Timing
Most attacks occurred between 10 p.m. and 8 a.m. Beijing Time (10 a.m. to 8 p.m. Eastern Standard Time in the U.S.), primarily on weekdays and avoiding major U.S. holidays.
2. Attack Resources
The use of five proxy IP addresses from Germany, Romania, and other regions indicates a high level of sophistication and resourcefulness in counter-forensics.
3. Attack Tools
Attackers utilized open-source and generic tools to disguise their activities. The Trojans operated only in memory, further complicating detection efforts.
4. Attack Techniques
By tampering with the system's client distribution program, attackers delivered Trojans to numerous personal computers through software upgrades, facilitating rapid and targeted data theft.
🔐 This report underscores the evolving landscape of cyber threats and the importance of robust cybersecurity measures for enterprises worldwide.
