OP 25 October, 2022 - 03:46 PM
The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed Operation CuckooBees.
Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly aimed at stealing technology secrets from organizations in developed economies.
The threat actor's campaigns have targeted healthcare, telecoms, high-tech, media, agriculture, and education sectors, with infection chains primarily relying on spear-phishing emails with attachments to initially break into the victims' networks.
Earlier this May, Cybereason disclosed long-running attacks orchestrated by the group since 2019 to siphon intellectual property from technology and manufacturing companies mainly located in East Asia, Western Europe, and North America.
The intrusions, clubbed under the moniker Operation CuckooBees, are estimated to have resulted in the exfiltration of "hundreds of gigabytes of information," the Israeli cybersecurity company revealed.
The latest activity, according to the Symantec Threat Hunter team, part of Broadcom Software, is a continuation of the proprietary data theft campaign, but with a focus on Hong Kong.
The attackers remained active on some of the compromised networks for as long as a year, the company said in a report shared with The Hacker News, adding the intrusions paved the way for the deployment of a malware loader called Spyder, which first came to light in March 2021.
"[Spyder] is being used for targeted attacks on information storage systems, collecting information about corrupted devices, executing mischievous payloads, coordinating script execution, and C&C server communication," the SonicWall Capture Labs Threat Research Team noted at the time.
Also deployed alongside Spyder were other post-exploitation tools, such as Mimikatz and a trojanized zlib DLL module that's capable of receiving commands from a remote server or loading an arbitrary payload.
Symantec said that it did not observe the delivery of any final-stage malware, although the motives of the campaign are suspected to be linked to intelligence gathering based on tactical overlaps with previous attacks.
"The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed in that time, indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time," Symantec said.
Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly aimed at stealing technology secrets from organizations in developed economies.
The threat actor's campaigns have targeted healthcare, telecoms, high-tech, media, agriculture, and education sectors, with infection chains primarily relying on spear-phishing emails with attachments to initially break into the victims' networks.
Earlier this May, Cybereason disclosed long-running attacks orchestrated by the group since 2019 to siphon intellectual property from technology and manufacturing companies mainly located in East Asia, Western Europe, and North America.
The intrusions, clubbed under the moniker Operation CuckooBees, are estimated to have resulted in the exfiltration of "hundreds of gigabytes of information," the Israeli cybersecurity company revealed.
The latest activity, according to the Symantec Threat Hunter team, part of Broadcom Software, is a continuation of the proprietary data theft campaign, but with a focus on Hong Kong.
The attackers remained active on some of the compromised networks for as long as a year, the company said in a report shared with The Hacker News, adding the intrusions paved the way for the deployment of a malware loader called Spyder, which first came to light in March 2021.
"[Spyder] is being used for targeted attacks on information storage systems, collecting information about corrupted devices, executing mischievous payloads, coordinating script execution, and C&C server communication," the SonicWall Capture Labs Threat Research Team noted at the time.
Also deployed alongside Spyder were other post-exploitation tools, such as Mimikatz and a trojanized zlib DLL module that's capable of receiving commands from a remote server or loading an arbitrary payload.
Symantec said that it did not observe the delivery of any final-stage malware, although the motives of the campaign are suspected to be linked to intelligence gathering based on tactical overlaps with previous attacks.
"The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed in that time, indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time," Symantec said.
![[Image: final-final-xxxxxx.webp]](https://i.ibb.co/hs6HDYH/final-final-xxxxxx.webp)
![[Image: source.gif]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fmedia3.giphy.com%2Fmedia%2FeDVcgkouqyKXK%2Fsource.gif)