An investigation by McAfee researchers into a case of a suspected malware infection uncovered a cyber attack that had been sitting in the victim organization’s network for years stealing data.
The investigators said the advanced threat actors used a mixture of known and unique malware tools in the attack – which they dubbed Operation Harvest – to compromise the victim’s IT environment, exfiltrate the data and evade detection.
During the two-month investigation, McAfee researchers were able to narrow down the list of suspects to two advanced persistent threat (APT) nation-state groups that have links to China.
“Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data,” Christiaan Beek, lead scientist and senior principal engineer for the Enterprise Office of the CTO at McAfee, wrote in a report. “The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families.”
Chinese-Linked APT Groups Likely Suspects
The investigators looked at forensic artifacts and cross-correlated them with historical and geopolitical data and determined that experienced APT actors were behind the long-term attack. They suspect it was either the APT27 group – which also is known as Bronze Union, LuckyMouse and Emissary Panda – or APT41 (Double Dragon, Barium, Winnti, Wicked Panda and Wicked Spider, among other names), both with ties to China.
“Within every nation-state cyber-offensive activity, there will be a department/unit responsible for the creation of the tools/malware, etc.,” Beek wrote. “We strongly believe that is exactly what we observe here as well. PlugX, Winnti and some other custom tools all point to a group that had access to the same tools. Whether we put name ‘X’ or ‘Y’ on the adversary, we strongly believe that we are dealing with a Chinese actor whose long-term objectives are persistence in their victims’ networks and the acquisition of the intelligence needed to make political/strategic or manufacturing decisions.”
Further reading: Best Digital Forensics Tools & Software
Access Through Compromised Web Server
The cybercriminals were able to gain initial access into the victim’s IT environment by compromising a web server, installing the software needed to maintain a presence and storage tools – including PSexec, Procdump and Mimikatz – they eventually used to gather information about the network and laterally move and execute files.
“In this attack, the initial access involved a compromised web server,” McAfee security experts wrote in a blog post. “Over the last year we have seen attackers increasingly use initial access vectors beyond spear-phishing, such as compromising remote access systems or supply chains.”
They also used privilege escalation and persistence techniques. They used Mimikatz to dump credentials and the open-source tool RottenPotato to gain access to a privileged token. Another open-source tool, BadPotato, is used to elevate user rights toward systems rights, Beek wrote. BadPotato code is available on GitHub as a Visual Studio project.
Misuse of Legitimate Open-Source Tools
The availability of open-source tools like BadPotato on legitimate sites like GitHub that can be used in cyberattacks is an issue of debate in the information security world, Beek told eSecurity Planet.
“These tools were originally designed for red teams to test the security of their companies’ networks,” he said. “However, being public on GitHub, one’s testing tool can in the hand of [a bad] actor be part of his arsenal to elevate his rights on a compromised system, as we observed happening in this case.”
The APT group also used the PlugX malware as a backdoor. In addition, an analysis of unique routines and processes for using malware led the McAfee investigators to believe the malware was from the Winnti family, Beek wrote. The bad actors also used several data exfiltration techniques, including creating batch scripts to grab data from certain network shares and folders and then using the ‘rar’ tool to compress the data. There also were variants to this that were performed manually.
Finding the Cyber Suspects
To determine who the perpetrators likely were, McAfee investigators mapped out MITRE ATT&CK Enterprise techniques, added the tools that were used, and compared the information to historical technique data. They determined there were four groups that shared the techniques and sub-techniques and then using a chart narrowed the likely suspects down to APT27 and APT41.
“After mapping out all data, TTP’s [tactics, techniques and procedures] etc., we discovered a very strong overlap with a campaign observed in 2019/2020,” Beek wrote. “A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.”
Preventing Long-Term Attacks
Generally, APT groups are known for staying in a victim’s network for long periods of time, with the mission typically being to collect intelligence, Beek said. It’s not unusual for such bad actors to have access for multiple years. They tend to have multiple options they can draw from to extend their access, he said.
“By having such long-term access, one knows how to stay below the radar,” he said. “We do believe that a long term persistence in the victim’s networks was a motive. On the theft of intellectual property, think about the knowledge of certain formulas, designs or information that can be used in the right hands to strengthen the economic position of a nation. From a military point of view, knowing how things work can be applied for defending or attacking purposes.”
In the blog post, McAfee experts mapped out a range of the vendor’s tools that an organization can use to protect itself from such attacks.
“Operation Harvest, like other targeted attack campaigns, leverages multiple techniques to access the network and capture credentials before exfiltrating data,” the authors wrote. “Therefore, as a Network Defender you have multiple opportunities to prevent, disrupt, or detect the malicious activity. Early prevention, identification and response to potentially malicious activity is critical for business resilience.”
Further reading: How to Build & Run a Threat Hunting Program