NightEagle Exploits Microsoft Exchange Vulnerability to Target Chinese Tech and Defense

A previously unknown North American advanced persistent threat (APT) group, dubbed “NightEagle” or APT-Q-95, has conducted a covert cyberespionage campaign against Chinese military and tech entities, writes Nate Nelson in Dark Reading.

The group allegedly exploited a zero-day vulnerability in Microsoft Exchange to extract sensitive intelligence.

The revelation marks a notable documentation of Western cyber-espionage activity targeting China, reversing the usual narrative of Chinese groups attacking North American interests.

The campaign came to light during the CYDES cybersecurity conference in Malaysia, where China-based Qianxin Technology’s RedDrip Team disclosed their findings.

NightEagle reportedly targeted Chinese AI, quantum technology, defense, and chip manufacturing by infiltrating Microsoft Exchange servers and stealing email data.

The intrusion began with domain system requests to a suspicious domain resembling a Synology update service, and involved deploying a customized version of “Chisel,” an open-source tunneling tool.

This malware created an encrypted tunnel through which attackers gained access to the Exchange server’s “machineKey,” enabling them to read and manipulate sensitive emails remotely.

Although Microsoft has stated that it has not yet found new actionable vulnerabilities, its investigation is ongoing. RedDrip tracked NightEagle’s working hours to the US West Coast, although they refrained from specifying whether the group is based in the US or Canada.

Experts argue that such operations align with the mandate of agencies like the NSA and US Cyber Command, whose missions include gathering intelligence on foreign adversaries.

Attributing cyberattacks remains a complex and politically sensitive process.

The use of commercial software tools in state-backed operations raises potential liability and disclosure concerns for tech firms. Legal and regulatory scrutiny may intensify around software vulnerabilities and national security implications.