These sneaky hackers hid inside their victims' networks for nine months

Unpatched vulnerabilities in Microsoft Exchange Server could be providing a sustained cyber espionage operation with a way into networks.

The threat from hackers is getting worse – and ignorance isn't an excuse for boardrooms any more

A hacking and cyber espionage operation is going after victims around the world in a widespread campaign designed to snoop on targets and steal information. 

Identified victims of the cyber attacks include organisations in government, law, religious groups, non-governmental organisations (NGOs), the pharmaceutical sector and telecommunications. Multiple countries have been targeted, including the U.S., Canada, Hong Kong, Japan Turkey, Israel, India, Montenegro, and Italy. 

Detailed by cybersecurity researchers at Symantec, the campaign is the work of a group they call Cicadaalso known as APT10 - a state-sponsored offensive hacking group which western intelligence agencies have linked to Chinese Ministry of State Security. In some cases, the attackers spent as long as nine months inside the networks of victims.  

APT10 has been active for over a decade, with the earliest evidence of this latest campaign appearing in mid-2021. The most recent activity which has been detailed took place in February 2022 and researchers warn that the campaign could still be ongoing. 

In several of the detected campaigns, evidence of initial activity on compromised networks has been seen on Microsoft Exchange Servers, suggesting the possibility that the intrusions started with attackers exploiting unpatched vulnerabilities in Microsoft Exchange which came to light in early 2021. 

SEE: A winning strategy for cybersecurity (ZDNet special report) 

Once the attackers gain initial access, they use a variety of tools including Sodamaster, fileless malware which provides a backdoor onto machines, as well as a custom loader for dropping additional payloads. Both forms of malware have been used in previous campaigns by APT10. 

The malware is capable of evading detection and it also obfuscates and encrypts any information which is sent back to command and control servers operated by the attackers. In addition to custom tools, the campaigns also use publicly available tools, to scan systems and execute commands.  

The victims being targeted, along with the tools being deployed and the earlier history of the suspected culprit behind the attacks has led researchers to conclude that the most likely goal of the campaign is information theft and intelligence gathering. 

"The sorts of organisations targeted - nonprofits and government organisations, including those involved in religious and education activity - are most likely to be of interest to the group for espionage purposes," Brigid O Gorman, senior information developer on Symantec threat hunter team told ZDNet. 

The United States Department of Justice has previously indicted suspected members of APT10 for campaigns around hacking into computer networks and stealing information. 

The widespread targeting of multiple large organisations around the world suggests the hacking operation has deep resources and researchers suggest that Cicada is still a cybersecurity threat to computer networks considered to be of interest to the attackers. 

Defending against a well-resourced nation-state backed hacking group isn't easy, but there are steps which network defenders can take to help avoid becoming the victim of an attack. These include patching known vulnerabilities – such as those in Microsoft Exchange which Cicada appear to have exploited – and hardening credentials via the use of multi-factor authentication

Researchers also recommend the introduction of one-time credentials for administrative work to help prevent theft and misuse of admin logins and that cybersecurity teams should contiously monitor the network for potentially suspicious activity. 

MORE ON CYBERSECURITY

Show Comments