Recent investigations have revealed that Chinese state-sponsored threat actors are leveraging sophisticated tactics to infiltrate European IT companies. According to cybersecurity firms Tinexta Cyber and SentinelLabs, these attacks, referred to as Operation Digital Eye, exploited vulnerabilities in Microsoft’s Visual Studio Code and Azure cloud infrastructure to conduct espionage campaigns targeting Western technology organizations.
Campaign Overview: Operation Digital Eye
This cyber campaign, which unfolded between June and July, aimed at breaching IT service providers in southern Europe. These firms provide critical data management, infrastructure, and cybersecurity solutions to various industries, making them a lucrative target for espionage and supply chain infiltration.
Attackers reportedly utilized the Visual Studio Code Remote Tunnels extension to tunnel command-and-control (C2) traffic. By sourcing infrastructure from European-based providers such as M247 in the U.K. and Microsoft Azure, they successfully masked their activities. The use of a digitally signed Visual Studio Code executable further bolstered their ability to evade detection by mimicking legitimate traffic flows within Europe.
Techniques and Tactics
The attackers' end goal was to establish and maintain a long-term presence within compromised organizations. Their methodology involved an initial attack vector through SQL injection, which subsequently allowed them to deploy a PHP-based webshell. Once inside, they camouflaged their activities using custom file names for the webshell, blending seamlessly into the targeted networks.
One distinct marker of this operation was the consistent naming pattern for malware tools, such as do.log for logging ping command outputs or do.exe for credential extraction and exfiltration.
Attribution Challenges
Attributing this campaign to a specific hacking group proved challenging. Chinese cyberespionage operations often feature overlapping tools and tactics shared among multiple groups, including contractors working for or with state-affiliated entities. This decentralization complicates pinpointing a single threat actor.
Evidence suggests the tools used in Operation Digital Eye, including a pass-the-hash utility and custom Mimikatz variants (known as minCN), likely originate from a centralized source tied to the Chinese government. These tools have been observed in campaigns associated with well-known Chinese cyberespionage groups such as Granite Typhoon, APT41, APT10, and Lucky Mouse.
Shared Toolkits and Collaboration
Researchers uncovered instructions embedded within minCN samples, seemingly left for subsequent teams of operators. These instructions included commands or IP addresses for the next wave of hackers to execute. This finding reinforces the theory that a centralized entity within the Chinese cyberespionage ecosystem maintains and distributes these tools across multiple teams.
"The recurring presence of minCN samples in various intrusions attributed to China-linked APT groups over the years suggests the existence of a broader provisioning network," wrote researchers from Tinexta Cyber and SentinelLabs. This infrastructure likely facilitates coordinated operations across different clusters within the Chinese advanced persistent threat (APT) ecosystem.
Implications for European IT Companies
By targeting IT service providers, the attackers increased their potential to propagate through the supply chain, affecting downstream client organizations. This highlights the critical importance of robust security measures for service providers, as their compromise can have cascading effects on the broader ecosystem.
0 Comments