A Chinese APT group has been conducting a wide-ranging, monthslong espionage campaign against organizations in the government, legal and religious sectors, as well as non-governmental organizations (NGOs) in the U.S. and several other countries.
The infamous group, APT10 (also known as Cicada), has been operating for well over a decade and initially had a heavy focus on companies in Japan. However, over the years the group’s targeting has expanded to also include IT managed service providers, manufacturing companies and universities at a more global scale. This most recent campaign indicates that the group has further expanded its victimology, with organizations in the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro and Italy being targeted, said researchers with Symantec's threat hunter team. The researchers noted that the earliest activity in this current campaign occurred in mid-2021, and the attacks appear to still be ongoing.
“The wide number of sectors and geographies of the organizations targeted in this campaign is interesting,” said Symantec researchers in an analysis this week. “This is a long-running campaign from a sophisticated and experienced nation-state-backed actor that may still be ongoing, as the most recent activity we saw in this campaign was in February 2022.”
Researchers said that the initial activity in this campaign stems from Microsoft Exchange Servers, suggesting that attackers may have exploited a known, unpatched Exchange vulnerability to gain access in some cases. After gaining access, attackers then deployed various tools, including the known Sodamaster backdoor. This backdoor has previously been used by APT10 in attacks and is believed to have been exclusively leveraged by the group since at least 2020. It has several capabilities, including the ability to search for running processes as well as download and execute additional payloads.
"This is a long-running campaign from a sophisticated and experienced nation-state-backed actor that may still be ongoing, as the most recent activity we saw in this campaign was in February 2022.”
In addition, the backdoor has several detection evasion functionalities that may partly explain how the campaign has run unnoticed for a long time - as long as nine months for some victims. Sodamaster is fileless malware, for one, meaning that it uses legitimate programs for infection rather than relying on files, which limits the backdoor's footprint and makes it harder to detect. Sodamaster also has the capability to evade detection in a sandbox by checking for a registry key or delaying execution, and like many other malware families it obfuscates and encrypts traffic that it sends back to its command-and-control (C2) server.
Other hallmarks of the campaign have included the group leveraging the legitimate, open-source VLC Media Player software, with attackers launching a custom loader through the VLC Exports function and using the WinVNC tool to remotely control victim devices. The APT group also used other legitimate tools throughout its campaign, including the RAR archiving tool (used for compressing and encrypting files) for exfiltration, the Microsoft WMIExec command-line tool for executing commands on remote systems and an open-source tool called NBTScan for conducting internal reconnaissance within compromised networks.
“In this campaign, the attackers are also seen dumping credentials, including by using a custom Mimikatz loader,” said researchers. “This version of Mimikatz drops mimilib.dll to obtain credentials in plain text for any user that is accessing the compromised host and provides persistence across reboots.”
APT10 is known for attempting to steal military, intelligence and business secrets from targets. Previously the attackers have targeted high-profile organizations: A 2018 U.S. government indictment of two alleged APT10 members revealed the group had targeted NASA, various U.S. government agencies and managed service providers, for instance.
But in this more recent incident, “the targeting of multiple large organizations in different geographies at the same time would require a lot of resources and skills that are generally only seen in nation-state backed groups, and shows that Cicada still has a lot of firepower behind it when it comes to its cyber activities,” said researchers.