Massachusetts, US: “Operation Cuckoo Bees research is the culmination of a 12 month investigation that highlights the intricate and extensive efforts of the Chinese state-sponsored Winnti Group (APT 41) to abscond with proprietary information from dozens of global organizations. The most alarming revelation is that the companies weren’t aware they were breached, going some as far back as at least 2019, giving Winnti free unfiltered access to intellectual property, blueprints, sensitive diagrams and other proprietary data,” said Lior Div, Cybereason CEO and Co-founder.
During its investigation, Cybereason discovered that Winnti conducted Operation CuckooBees undetected since at least 2019, likely siphoning thousands of gigabytes of intellectual property and sensitive proprietary data from dozens of companies.
Cybereason published two reports, the first examining the tactics and techniques of the overall campaign, and the second providing a detailed analysis of the malware and exploits used.
Based on the analysis of the forensic artifacts, Cybereason estimates with medium-high confidence that the perpetrators of the attack are linked to the notorious Winnti APT group. This group has existed since at least 2010 and is believed to be operating on behalf of Chinese state interests and specializes in cyber espionage and intellectual property theft.
Other key findings include the discovery of a sophisticated and elusive cyber-espionage operation with the goal of stealing sensitive proprietary information from technology and manufacturing companies mainly in East Asia, Western Europe, and North America.
The reports expose a previously undocumented malware strain called DEPLOYLOG used by the Winnti APT group, and highlights new versions of known Winnti malware, including Spyder Loader, PRIVATELOG, and WINNKIT.
The reports include an analysis of the complex infection chain that led to the deployment of the WINNKIT rootkit composed of multiple interdependent components.
According to the report, the attackers implemented a delicate “house of cards” approach, where each component depends on the others to execute properly, making it very difficult to analyze each component separately.
“The security vulnerabilities that are most commonly found in campaigns such as Operation CuckooBees are exploited because of unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts and lacking multi-factor authentication products. Although these vulnerabilities may seem be easy to fix, day-to-day security is complex and it’s not always easy to implement mitigations at a grand scale. Defenders should follow MITRE and/or similar frameworks in order to make sure that they have the right visibility, detection and remediation capabilities in place to protect their most critical assets,” added Div.