An Israeli-American cybersecurity firm said Monday that it uncovered a “massive” hacking operation, apparently led by a hacking group believed to be backed by China, that had engaged in intellectual property (IP) theft and industrial espionage on three continents.
Cybereason, which is headquartered in Boston with offices in Tel Aviv, London, and Tokyo, said the group employed sophisticated methods and worked in an elusive manner to target technology and manufacturing companies in the US, Europe, and Asia and steal sensitive proprietary information.
Assaf Dahan, senior director and head of threat research at Cybereason, told The Times of Israel that the ring, known as the Winnti Group (and also tracked as APT41, Blackfly and Barium in cybersecurity circles) was “one of the most prolific and industrious groups in the cyber threat landscape,” and is known to operate on behalf of Chinese state interests.
The group has been active since at least 2010. Some known members of the group were indicted in 2020 by the US Department of Justice for computer crimes against some 100 companies in the US and other countries, including software development companies, computer hardware manufacturers, telecommunications providers, and gaming firms.
Dahan said Cybereason’s research showed that the Winnti Group engaged in “intellectual property theft and cyber espionage on a grand scale” since at least 2019, and possibly before. Cybereason began its research into the group’s industrial espionage operations last year, having been alerted by one of the targeted companies that something “funky” was afoot in its network, said Dahan, who is based in London.
He explained that Cybereason researchers were able to observe the group’s efforts to obtain sensitive data such as patent and product details, source codes, tech blueprints, and manufacturing instructions in real-time.
“Their level of stealth and sophistication was very high,” Dahan said, describing the group’s modus operandi in the context of this specific hacking operation as a “house of cards” made up of several components that were interconnected and interdependent.
“It’s an intricate and complex deployment process where the components all have to work together in a certain order. It’s very difficult to detect because each component [alone] doesn’t appear malicious. It’s a smart way of evading detection and it worked — they worked undetected for three years,” said Dahan.
During the analysis, Cybereason was able to uncover a previously undocumented “family of malware” including a new version of Winnti malware called WINNKIT, which Dahan described as a “very advanced cyber tool of Chinese origin, likely military intelligence.”
The malware allowed the hackers to conduct “reconnaissance and credential dumping [to pull multiple passwords and login information], enabling them to move laterally in the network,” according to Cybereason’s investigation, which the company dubbed Operation CuckooBees. The hack “allowed the attackers to steal highly sensitive information from critical servers and endpoints belonging to high-profile stakeholders.”
Dahan said that the extent of the damage to the targeted companies was difficult to assess.
Cybereason said it had briefed the Federal Bureau of Investigation (FBI) and the Department of Justice on its research.
Western nations, and in particular the US and Britain, have over the years accused China of large-scale hacking operations aimed at pilfering vast amounts of data including trade secrets and scientific information as well as private details of citizens.
A Bloomberg report last year detailed how Chinese operatives were able to breach major companies by exploiting a major US tech supplier.
In 2018, US authorities indicted two alleged Chinese hackers said to have acted on behalf of Beijing’s main intelligence agency to steal trade secrets and other information from government agencies and a who’s who of major corporations in the United States and nearly a dozen other nations. Targeted nations named in the US indictment include Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland and the United Arab Emirates.
Last year, Cybereason revealed in a separate report that Chinese state-backed hacking groups compromised at least five global telecommunications companies, stealing phone records and location data.
Founded in 2012, Cybereason has raised over $700 million in capital over the past decade with investors such as GV, previously known as Google Ventures and the venture capital arm of Alphabet, Softbank, CRV, Spark Capital, Lockheed Martin, and Liberty Strategic Capital, the private equity firm set up in early 2021 by former US Treasury secretary Steven Mnuchin.
Cybereason uses behavioral analytics and machine learning to process information in real-time and provide extended detection and response (XDR). The software can tell companies if they are under attack, assess the impact, and move to stop the threat, according to the company’s website.
Cybereason is said to have confidentially filed for an initial public offering (IPO) in February that could value the company at more than $5 billion.