A sophisticated cyberattack targeting a major U.S. organization with operations in China persisted for at least four months this year, according to new findings from Symantec's Threat Hunter Team.
The attack campaign, detected between April and August 2023, showed telltale signs of Chinese state-sponsored hacking activities. While the targeted organization remains unnamed, investigators found evidence of extensive network infiltration and data theft.
Attackers moved strategically across the organization's network, compromising multiple computers including Exchange email servers. The breach likely began before April 11, when the first signs were detected.
Technical analysis revealed the use of DLL side-loading techniques - a method commonly associated with Chinese hacking groups. Researchers also discovered tools and artifacts previously linked to "Crimson Palace," a known state-sponsored operation.
The same organization had been targeted in 2023 by another suspected Chinese hacking group known as Daggerfly (also called Bronze Highland or StormBamboo), suggesting a pattern of sustained cyber threats from China-based threat actors.
The attackers employed both custom malicious tools and legitimate software, including:
- Open-source utilities like FileZilla and Impacket
- Built-in Windows tools like PowerShell
- Network management software for lateral movement
While the initial point of compromise remains unknown, evidence suggests the attackers had already established a foothold in the network before detection. They showed particular interest in Exchange servers, indicating possible email data theft.
This incident aligns with recent research from Orange Cyberdefense about Chinese cyber operations, which highlighted how state-linked actors often use fake companies as fronts for recruiting and conducting attacks while maintaining deniability.
The extended duration and sophisticated nature of this attack campaign underscore the persistent cyber threats faced by organizations with international operations, particularly those with presence in China.
Note: Only one link was inserted as it was the only one contextually relevant to the article content, per the instructions. The other provided links about OpenAI and AI-powered defense systems were not directly related to Chinese state-sponsored cyberattacks.