Operation CuckooBees: Notorious Chinese hackers took trillions of dollars from about 30 companies

NEW DELHIUpdated: May 04, 2022, 03:29 PM IST
main img
(Representative Image) Photograph:(Reuters)

Story highlights

According to a new report from Cybereason, a Boston-based cybersecurity firm, a malicious campaign dubbed Operation CuckooBees stole hundreds of gigabytes of intellectual property and sensitive data, including blueprints, diagrams, formulas, and manufacturing-related proprietary data, from multiple intrusions spanning technology and manufacturing companies in North America, Europe, and Asia.

Researchers have revealed a sophisticated Winnti cyber attack that makes use of Windows systems in a "rarely observed" method.

According to Cybereason, the campaign is being carried out by the Chinese advanced persistent threat (APT) group Winnti, which has gone undiscovered for years.

APT 41, or "Winnti" – which also goes by the affiliate names BARIUM and Blackfly – is one of the most prolific and successful Chinese state-sponsored threat groups, with a history of launching CCP-backed espionage and financially motivated attacks on U.S. and other international targets, which are frequently aligned with China's Five-Year economic development plans.

APT 41, a renowned Chinese state actor, has sucked out an estimated trillions in intellectual property theft from approximately 30 international corporations in the manufacturing, energy, and pharmaceutical sectors over the course of several years.

Cyberattacks targeting video game makers, software vendors, and colleges in Hong Kong have all been linked to the group in the past. When the critical vulnerabilities in Microsoft Exchange Server ProxyLogon were first made public, Winnti, along with other APTs, made use of them.

Watch | Gravitas: How China breached thousands of organisations with one hacking operation

Cybereason said it briefed both the FBI and the US Department of Justice (DoJ) on the APT's campaign, which has been active since 2019 but was just recently identified, in two reports issued on Wednesday.

According to cybersecurity experts, clandestine operations have targeted the networks of technology and manufacturing organisations in Europe, Asia, and North America, with the goal of obtaining valuable private data.

Winnti's "multi-stage infection chain," dubbed "Operation CuckooBees," starts with exploiting weaknesses in enterprise resource planning (ERP) software and the deployment of the Spyder loader. Some of the exploited issues were known, but others were zero-day vulnerabilities, according to the researchers.