Symantec Spotted Cyberespionage Campaign Linked to Chinese APT Group Targeting Global MSPs


Malware researchers at Broadcom’s Symantec business have discovered evidence that a long-running cyberespionage campaign linked to Chinese state-sponsored hackers is now targeting managed service providers (MSPs) with a worldwide reach.

Symantec claimed in a study released Tuesday that the Cicada (APT10, Stone Panda) gang has expanded its target list to include political, legal, religious, and non-governmental organisations (NGOs) in a number of countries around the world, including Europe, Asia, and North America.

Cicada’s early activity, according to the business, was largely focused on Japanese-linked companies few years ago, but the group is now targeting managed service providers (MSPs) all over the world.

Symantec’s analysts discovered evidence that attackers use Microsoft Exchange Servers as an entry point in numerous newer cases, implying that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some situations.

“Once the attackers have gotten access to the target workstations, we see them use a variety of tools, including a custom loader and the Sodamaster backdoor,” says the researcher. The loader used in this campaign was previously used in a Cicada assault, according to Symantec.

Sodamaster is a strong backdoor utilised solely by this Chinese APT organisation to avoid detection in a sandbox, search for running processes, and download and execute additional payloads.

The backdoor can also obfuscate and encrypt traffic before sending it back to its command-and-control (C&C) server.

The attackers were also seen dumping credentials with a bespoke Mimikatz loader and exploiting a genuine VLC Media Player by launching a custom loader via the VLC Exports feature, and then remotely controlling target workstations with the WinVNC tool, according to Symantec.

“It appears that the victims of this effort are mostly government-related institutions or non-governmental organisations (NGOs), with some of these NGOs operating in the domains of education and religion. There were additional victims in the telecommunications, legal, and pharmaceutical industries, according to Symantec.

The victims are from a variety of countries, including the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. There is also only one victim in Japan, which is noteworthy given Cicada’s previous focus on Japanese-linked businesses.

According to Symantec, the attackers spent up to nine months on some victims’ networks.

“The simultaneous targeting of multiple large organisations in different geographies would necessitate a lot of resources and skills that are typically only seen in nation-state backed groups, demonstrating that Cicada still has a lot of firepower behind it when it comes to its cyber activities,” the company said.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.