China-Backed Winnti Hackers Attacked Manufacturers Globally, Cybereason Alleges
The China-backed Winnti Group (APT 41, Wicked Panda or Barium) has been siphoning troves of intellectual property and other data from dozens of manufacturers in North America, Europe and Asia across multiple critical industries over the past three years, according to a year-long investigation by Cybereason, a provider of extended detection and response services.
During its examination, Cybereason discovered that Winnti conducted Operation CuckooBees undetected since at least 2019. The most “alarming revelation” is that the companies weren’t aware they were breached. The heist gave Winnti “unfiltered access” to blueprints, sensitive diagrams and other proprietary data,” said Lior Div, Cybereason chief executive and co-founder.
Winnti has been active since at least 2010 and linked to attacks on dozens of U.S. companies. Cybereason based its conclusions on forensic artifacts of Winnti intrusions, the company said.
Additional findings from the research include:
- Previously undocumented Winnti malware includes digitally signed, kernel-level rootkits as well as an elaborate multi-stage infection chain that enabled the operation to remain undetected since at least 2019.
- Winnti has used a previously undocumented malware strain called DEPLOYLOG along with new versions of known Winnti malware, including Spyder Loader, PRIVATELOG, and WINNKIT.
- The attackers leveraged the Windows common log file system (CLFS) mechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade detection by traditional security products.
- The attackers implemented a “delicate” house-of-cards approach, where each component depends on the others to execute properly, making it very difficult to analyze each component separately.
“The security vulnerabilities that are most commonly found in campaigns such as Operation CuckooBees are exploited because of unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts and lacking multi-factor authentication products,” said Div. “Although these vulnerabilities may seem easy to fix, day-to-day security is complex and it’s not always easy to implement mitigations at a grand scale. Defenders should follow MITRE and/or similar frameworks in order to make sure that they have the right visibility, detection and remediation capabilities in place to protect their most critical assets,” he said.