Chinese APT Group Winnti Is Stealing Intellectual PropertyForensic Analysis Used to Detect the Group's Involvement, Cybereason Says
A new malicious campaign that siphons off intellectual property and sensitive data - including documents, blueprints, diagrams, formulas and manufacturing-related proprietary data - has been identified by researchers at cybersecurity firm Cybereason as being the work of Chinese APT Winnti based on forensic analysis.
Also known as APT 41, BARIUM and Blackfly, the group is known for its stealth, sophistication and focus on stealing technology secrets. It primarily targets technology and manufacturing companies in North America, Europe and Asia.
Cybereason, which has closely tracked the group, says that the APT actor has, over several years, surreptitiously conducted reconnaissance, identified valuable data and exfiltrated hundreds of gigabytes of information in its campaign dubbed Operation CuckooBees.
Cybereason does not specify which companies the data belongs to, whether it has been leaked, or how it came by this information.
The company says it has briefed the U.S. FBI and Department of Justice on the operation.
Lior Div, CEO and co-founder of Cybereason, tells Information Security Media Group that Operation CuckooBees highlights the "sophistication and elusiveness" of Chinese-sponsored threat groups. This global espionage campaign, Div says, was launched in 2019 and has targeted "dozens of the largest manufacturing companies in the world."
He describes the APT group as operating like a guided missile, saying, "Once it locks onto a target, there is no escaping."
The researchers at Cybereason have been tracking this group since 2021, after it attempted a series of intrusions targeted at technology and manufacturing companies in North America, Europe and Asia.
The attackers, the researchers say, have been collecting information that could be used for future cyberattacks. This includes data such as the target company's business units, network architecture, user accounts and credentials, employee emails and customer data.
"This group has existed since at least 2010 and is believed to be operating on behalf of Chinese state interests and specializes in cyberespionage and intellectual property theft," the researchers say.
The researchers have also discovered a previously undocumented malware strain in the Winnti arsenal, called DEPLOYLOG, and have found new versions of known Winnti malwares, including Spyder Loader, PRIVATELOG and WINNKIT.
The CuckooBees campaign contains another deviation from the norm: The threat actor has abused Windows Common Log File System or CLFS feature, the researchers say.
"The attackers leveraged the Windows CLFS mechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade detection by traditional security products."
CLFS is a logging framework that was first introduced by Microsoft in Windows Server 2003 R2 and is included in later Windows operating systems. It provides a high-performance logging system for a variety of purposes ranging from simple error logs to transactional systems and data stream collection.
"CLFS employs a proprietary file format that isn't documented, and can only be accessed through the CLFS API functions. As of writing this report, there is no tool which can parse the flushed logs. This is a huge benefit for attackers, as it makes it more difficult to examine and detect them while using the CLFS mechanism," the researchers say.
'Intricate and Interdependent'
The researchers describe the attackers' payload mechanism as "intricate and interdependent." The complex infection chain that led to the deployment of the WINNKIT rootkit is composed of multiple interdependent components they say. The attackers implemented a delicate "house of cards" approach, which meant each component depended on the others to function properly, making it very difficult to analyze each component separately, they say.
"Detecting sophisticated threats is impossible using today's legacy security products, and a shift in the mindset of security practitioners is essential to stopping threat groups. Our investigation highlights the importance of protecting internet-facing assets, early detection of scanning activity and exploitation attempts, the ability to detect web shell activity, persistence, reconnaissance attempts by legitimate Windows tools, credential dumping and lateral movement attempts," Div says.
To summarize, the Winnti malware arsenal currently includes:
- Spyder, a sophisticated modular backdoor;
- STASHLOG, the initial deployment tool "stashing" payloads in Windows CLFS;
- SPARKLOG, which extracts and deploys PRIVATELOG to gain privilege escalation and achieve persistence;
- PRIVATELOG, which extracts and deploys DEPLOYLOG;
- DEPLOYLOG, to deploy the WINNKIT Rootkit and serves as a UserLAnd agent;
- WINNKIT, the Winnti kernel-level rootkit.
"It is also hard to estimate the exact number of companies affected by Operation CuckooBees due to the complexity, stealth and sophistication of the attacks. Winnti is one of the most industrious groups operating on behalf of Chinese state-aligned interests," the researchers say.
Attack Method Analysis
The researchers found that the initial foothold in the organization originated from multiple vulnerabilities in the organizational enterprise resource planning, or ERP, platform. They say that the attackers were then able to install persistence in the form of a web hell and began conducting reconnaissance and credential dumping, enabling them to move laterally in the network.
This ultimately allowed the attackers to steal highly sensitive information from critical servers and endpoints belonging to high-profile stakeholders. Further analysis revealed that the ultimate goal of the operation was cyberespionage with the aim of stealing proprietary information, research and development documents, source code and blueprints for various technologies.
"The attackers managed to go undetected for years by using stealthy techniques combined with state-of-the-art attack and espionage tools which included advanced rootkits," the researchers say.
In addition, to collect data efficiently, the researchers observed that the attackers used a renamed Chinese-language version of WinRAR to create password-protected archives containing the stolen data.
"The WinRAR executable is a 32-bit command-line version of the legitimate WinRAR application. The executable was renamed to rundll32.exe, a legitimate Windows program, in order to disguise it and silently blend it in with other Windows system files," the researchers say.