In February 2025, a sophisticated cyber intrusion targeting a US defense technology firm was traced back to a Chinese advanced persistent threat group. This methodical espionage attack involved multiple vulnerabilities and advanced evasion tactics aimed at extracting sensitive intellectual property. The findings highlight the determined efforts of nation-state actors and their capacity to maintain long-term access to their targets. Affected: US defense technology sector
Keypoints :
- A Chinese advanced persistent threat (APT) group was behind an attack on a US defense technology customer.
- The attack was characterized by sophisticated techniques and focused on extracting sensitive information.
- There was a notable average breakout time of 21 hours, indicating a methodical approach rather than a fast-paced intrusion.
- The attack targeted comprehensive backup files from SFTP servers, aiming to obtain defense-related intellectual property.
- Involvement of vulnerabilities related to SharePoint and Ivanti Pulse Secure devices was key to the attack’s execution.
- Defense evasion techniques included disabling logging and creating backdoors disguised as legitimate processes.
- The attackers maintained persistence through custom tools and web shells.
- The operation aligns with China’s strategic goals of enhancing military strength and technological prowess through espionage.
- Enterprises must adapt defenses to combat sophisticated tactics used by nation-state actors.
MITRE Techniques :
- Initial Access (T1190): Exploited SharePoint vulnerabilities for initial access to the environment.
- Credential Dumping (T1003): Brute-forced service accounts tied to SharePoint for access escalation.
- Exploitation of Remote Services (T1210): Compromised Ivanti devices via unpatched vulnerabilities.
- Lateral Movement (T1021): Used SMB Named Pipe Creation and RDP for lateral movement across the network.
- Defense Evasion (T1070): Disabled logging on Ivanti devices and wiped Active Directory logs to conceal activities.
- Persistence (T1547): Maintained access via custom Dynamic Link Libraries (DLLs) and web shells.
- Exfiltration Over Command and Control Channel (T1041): Employed malicious scripts for data extraction through command and control channels.
Indicator of Compromise :
- [File Path] C:Program FilesGlobalscapeEFT ServerIPWork EDI COM.dll
- [File Path] C:Program FilesGlobalscapeEFT ServerDBUtilitylogs4net.dll
- [File Path] C:ProgramDataGlobalscapeEFT ServerBackupTemp1.bak
- [File Path] C:Program FilesGlobalscapeEFT ServerGoogleDriveClientHelper.dll
- [File Path] C:ProgramDataTemplates.log
Full Story: https://reliaquest.com/blog/threat-spotlight-the-data-chase-understanding-chinese-espionage-strategies/