Chinese hackers attempted to breach critical European supply chain companies by using deceptive tactics with familiar Microsoft technologies. This incident occurred over a three-week period from late June to July, as reported by researchers from SentinelLabs. The threat actor, associated with China’s bustling cyberattack scene, targeted prominent business-to-business IT service providers in southern Europe. These targeted companies included cybersecurity firms and data and infrastructure solutions providers, with the ultimate goal of downstream supply chain espionage.
To infiltrate these IT vendors and potentially access their numerous clients across the continent, the hackers cloaked their malicious activities behind common business tools like Visual Studio Code and Microsoft Azure. This tactic aimed to throw off attribution by mimicking the tactics, techniques, procedures (TTPs), and tooling used by other known Chinese threat actors.
The malicious campaign, dubbed “Operation Digital Eye,” kicked off with SQL injections against vulnerable web and database servers. Subsequently, the attackers deployed PHP web shells with specially crafted filenames to evade detection. The attackers then conducted reconnaissance, lateral movement, and credential theft.
The highlight of the attacks was the distribution of a seemingly harmless program named “code.exe.” This file, digitally signed by Microsoft and run as a service using the Windows Service Wrapper, contained a portable copy of Visual Studio Code (VS Code). VS Code, a popular open-source editor developed by Microsoft, has also been exploited by Chinese threat actors due to its Remote Tunnels feature. This feature, designed to allow developers to work on remote machines, can be weaponized for malicious purposes to execute commands and edit files on remote systems discreetly.
The attackers leveraged the GitHub and Azure connections required for VS Code tunneling to mask their activities. By utilizing public cloud infrastructure in Western Europe, the hackers made their traffic appear legitimate and less likely to be flagged by security tools. The combination of access provided by VS Code and the unassuming nature of Azure network traffic made this tactic appealing to threat actors.
The tools used in Operation Digital Eye, notably “bK2o.exe,” a variant of the credential stealing tool Mimikatz, further added to the complexity of attributing the attacks to a specific group. Mimikatz variants have been deployed by various Chinese APTs, including APT41 and APT10. SentinelLabs researchers suggested the existence of a shared vendor supplying multiple threat actor groups, indicating a coordinated effort within the Chinese APT ecosystem to facilitate cyber-espionage operations.
Overall, the attempt by Chinese hackers to breach critical European supply chain companies using deceptive tactics with Microsoft technologies underscores the evolving and sophisticated nature of cyber threats faced by organizations worldwide. The need for robust cybersecurity measures and constant vigilance against such attacks is paramount in safeguarding sensitive information and infrastructure.