Chinese Hacker Suspected in Four-Month Cyberattack on U.S. Organization

Citing a report from the Symantec Threat Hunter Team, an article by Ravie Lakshmanan in The Hacker News details a cyberattack on a large US company that unfolded over a period of at least four months. The company was not named, but it is said to have a significant presence in China.

The likely link of the attack to China was indicated by the hackers’ use of DLL side-loading, said to be a preferred tactic of Chinese groups, and the presence of artifacts linked to a previous China-sponsored operation code-named Crimson Palace.

Lakshmanan notes that the same unnamed organization that suffered this latest cyberattack was targeted in 2023 by an attacker who may have had links to another China-based group called Daggerfly. That group is sometimes referred to as Evasive Panda and was the subject of another Hacker News post several weeks ago.

“The attackers moved laterally across the organization’s network, compromising multiple computers,” according to the Symantec Team’s report.

Some of the machines targeted were exchange servers, which led the Symantec investigators to conclude the attackers were gathering intelligence by targeting emails. The attackers also employed exfiltration tools.

The Symantec investigators were not able to identify the exact “initial access mechanism,” Lakshmanan writes, but they did find that “the machine on which the earliest indicators of compromise were detected included a command that was run via WMI (Windows Management Instrumentation) from another system on the network.”

“Some of the other malicious activities that were subsequently performed by the attackers ranged from credential theft and executing malicious DLL files to targeting Microsoft Exchange servers and downloading tools such as FileZilla, PSCP, and WinRAR,” Lakshmanan writes.

The Symantec investigators also note the attackers were particularly interested in “Exchange Servers,” which suggests they were “attempting to target mail servers to collect and possibly exfiltrate email data.”