A cyber-attack that had been sitting on the target organization’s network for years stealing data was discovered during a McAfee investigation into a suspected malware infection. The sophisticated threat actors utilized a mix of known and novel malware tools in the attack, called Operation Harvest, to infiltrate the victim’s IT infrastructure, exfiltrate data, and avoid detection, according to the investigators. McAfee researchers were able to narrow down the list of suspects to two advanced persistent threat (APT) nation-state groups with ties to China during the course of the two-month investigation.
“Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data,” Christiaan Beek, lead scientist and senior principal engineer for the Enterprise Office of the CTO at McAfee, wrote in a report.
“The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families,” Beek added.
The actor gained initial access by compromising the victim’s web server, which contained software to maintain the existence and storage of tools needed to acquire information about the victim’s network and lateral movement/execution of files, according to forensic investigations.
Between the operating method of the unique encryption function in the custom backdoor and the code used in the DLL, the adversaries used techniques that are commonly seen in this type of attack, but they also used distinctive new backdoors or variants of existing malware families, almost identical to methods attributed to the Winnti malware family. According to the findings, the adversary was looking to steal proprietary knowledge for military or intellectual property/manufacturing reasons.
McAfee investigators drew out MITRE ATT&CK Enterprise methods, added the tools utilized, and compared the information to previous technique data to figure out who the perpetrators were. They discovered four groups that shared the same tactics and sub-techniques and then used a chart to narrow down the suspects to APT27 and APT41.
“After mapping out all data, TTP’s [tactics, techniques, and procedures] etc., we discovered a very strong overlap with a campaign observed in 2019/2020,” Beek wrote. “A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.”