Chinese APT Targets Global Firms in Monthslong AttackTargets Include MSPs, Government Orgs, NGOs in Europe, Asia, North America
Chinese state-backed APT group Cicada is attacking global organizations in what appears to be a monthslong espionage campaign.
The Cicada group, also called APT10, has been targeting government, legal, religious and nongovernmental organizations in Europe, Asia and North America, according to the Broadcom Software-run Symantec Threat Hunter team.
The researchers say the APT actor's initial activity was heavily focused on Japanese-linked companies, but in recent times it has been linked to attacks on managed service providers with a more global footprint. This campaign, they add, appears to indicate a further widening of Cicada's target area.
"While Cicada has been linked to espionage-style operations dating back to 2009, the earliest activity in this current campaign occurred in mid-2021, with the most recent activity seen in February 2022. So this is a long-running attack campaign that may still be ongoing," the researchers say.
Cicada, also known as Stone Panda and Cloud Hopper, is linked to China's Ministry of State Security. The group has long been targeting Japanese organizations for cyberespionage, Symantec has said in the past (see: Chinese Hackers Exploit Zerologon Flaw for Cyberespionage).
Xueyin Peh, senior cyberthreat intelligence analyst at security firm Digital Shadows, says, "APT10 is arguably one of the most technically capable APT groups associated with the Peoples Republic of China." He says Operation Cloud Hopper in 2017, in which it successfully targeted multiple MSPs, was the group's most prominent cyber campaign and that it has also conducted other high-profile, sophisticated attacks, including Operation Soft Cell in 2019, targeting telecommunications providers, and Operation TradeSecret in 2017, targeting U.S. lobbyists.
Members of this hacking group were sanctioned by the European Council for campaigns that took place within European Union member states (see: EU Issues First Sanctions for Cyberattacks).
In December 2018, the U.S. Justice Department unsealed an indictment against two alleged Cicada members for their roles in hacking the networks of 45 technology companies and U.S. government agencies (see: 2 Chinese Nationals Indicted for Cyber Espionage).
The attribution to Cicada by the Symantec threat hunter team is based on the presence of a custom loader and custom malware on victim networks that are believed to be exclusively used by the APT group.
Exploiting Known Vulnerability
The initial activity on victim networks is seen on Microsoft Exchange Servers, the researchers say. This suggests that an unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.
In 2020, Symantec researchers released a report about the same APT actor, which at that time was exploiting the critical Zerologon vulnerability in Windows Server as part of a cyberespionage campaign.
The campaign, which began in October 2019, targeted Japanese firms and their subsidiaries in 17 locations across the world, Symantec said in its report. The focus of the campaign was to exfiltrate data, particularly from automotive organizations, as part of an industrial cyberespionage effort (see: Chinese Hackers Exploit Zerologon Flaw for Cyberespionage).
The APT group was then using a custom malware variant called Backdoor.Hartup as well as "living off the land" tools to target its victims. Once the victim's network was compromised, the hackers remained active for up to a year to exfiltrate data. Cicada then used a Dynamic Link Library side-loading technique to compromise the victims' domain controllers and file servers.
"Various tools (were) deployed in this campaign, and Cicada’s past activity indicates that the most likely goal of this campaign is espionage. Cicada activity was linked by U.S. government officials to the Chinese government in 2018," the latest report says.
SodaMaster, Other Tools
Upon successfully gaining access to victim machines, the Symantec researchers observed APT actors deploying a custom loader and the SodaMaster backdoor. The researchers say that the loader deployed in this campaign was also deployed in a previous Cicada attack.
SodaMaster is a fileless malware that is capable of multiple functions, including evading detection in a sandbox by checking for a registry key or delaying execution; enumerating the username, hostname, and operating system of targeted systems; searching for running processes; and downloading and executing additional payloads.
SodaMaster is believed to be exclusively used by Cicada and is capable of obfuscating and encrypting traffic that it sends back to its command-and-control server, the researchers say, adding that it is a powerful backdoor that Cicada has been using since at least 2020.
"In this campaign, the attackers are also seen dumping credentials, including by using a custom Mimikatz loader. This version of Mimikatz drops mimilib.dll to obtain credentials in plain text for any user that is accessing the compromised host and provides persistence across reboots," the researchers say. "The attackers also exploit the legitimate VLC Media Player by launching a custom loader via the VLC Exports function, and use the WinVNC tool for remote control of victim machines."
Some other tools used in this campaign include:
- RAR archiving tool: Used to compress, encrypt or archive files for exfiltration;
- System/network discovery: Helps attackers determine what systems or services are connected to an infected machine;
- WMIExec: A Microsoft command-line tool that can be used to execute commands on remote computers;
- NBTScan: An open-source tool used by APT groups to conduct internal reconnaissance within a compromised network.
The researchers say this is a long-running campaign from a "sophisticated and experienced nation-state-backed actor" and add that it may still be ongoing. They say the most recent activity they observed in the campaign was in February 2022.
"The targeting of multiple large organizations in different geographies at the same time would require a lot of resources and skills that are generally only seen in nation-state-backed groups, and shows that Cicada still has a lot of firepower behind it when it comes to its cyber activities," the researchers say.
Peh tells ISMG the group's exploitation of VLC media player is "a novel technique." He says that although threat actors often use DLL side-loading, which is loading malware into a legitimate process to mask illegitimate activity, almost no known threat groups previously have used DLL side-loading using VLC.