A complicated, long-running cyberespionage campaign has been discovered by McAfee. The adversary was capable of exfiltrating network data for years on end. The campaign has been dubbed Operation Harvest.
About Operation Harvest
The campaign gains its name from its goal of siphoning off sensitive information from company networks to later use it for strategic military purposes. The threat actors are leveraging a medley of old and new malware packages and are, apparently, highly sophisticated and experienced. The intrusion commenced with initial access vectors and proceeded to abuse privilege escalation to steal credentials and laterally move across the network.
Why it matters
- While some techniques used were the same as commnoly observed techniques, the attackers used some unique backdoors and malware variants.
- The stolen data probably contained intellectual property, which the adversaries could exploit for financial gain.
Attribution
- Long-term cyberespionage operations and covert information heists are two characteristics often associated with China-backed threat actors. Experts believe that the threat actor is linked to Beijing.
- A 2017 report by Trend Micro describes this recent technique, which is linked to the Winnti Group. McAfee researchers have discovered that the payload deployed belongs to Winnti.
- However, comparing the techniques, sub-techniques, timestamps, and historical artifacts indicate that the campaign is most likely the work of APT27 and APT41.
The bottom line
This campaign highlights the challenges faced in discovering attacks by highly skilled APT groups. Therefore, defending against such threats requires a multi-layered, proactive approach. It is clear that, over time, the threat group has been honing its skills and evolving its TTPs. With high confidence, researchers have attributed this attack to Chinese nation-sponsored threat actors.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_566283598.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/8c35_shutterstock_639898315.jpg)
