Chinese cyberespionage targets European IT service firms

Details of a Chinese cyberespionage campaign have been unveiled by SentinelLabs and Tinexta Cyber, highlighting concerns over the increasing infiltration of digital supply chains by cyber actors.

The campaign, dubbed "Operation Digital Eye," targeted large business-to-business IT service providers located in Southern Europe. It aimed to embed footholds in digital supply chains, thus paving the way for potential attacks on downstream organisations. This operation took place from late June to mid-July 2024, lasting approximately three weeks. The targets of these attacks provide critical solutions for managing data, infrastructure, and cybersecurity across various industries.

The attackers utilised Visual Studio Code and Microsoft Azure infrastructure for command and control (C2) purposes. These tools were chosen to make malicious activities appear legitimate, thereby evading detection. "The abuse of Visual Studio Code Remote Tunnels in this campaign illustrates how Chinese APT groups often rely on practical, solution-oriented approaches to evade detection," detailed the findings.

SentinelLabs and Tinexta Cyber were able to detect and disrupt the attacks in their initial phases. According to the research, the exact entity behind Operation Digital Eye remains unclear, owing to the widespread sharing of malware, operational playbooks, and infrastructure management processes among Chinese APT (Advanced Persistent Threat) groups. However, it is assessed that it is highly likely these attacks were conducted by a China-nexus threat actor with motivations rooted in cyberespionage.

Key findings indicate the threat actors used a pass-the-hash capability, likely derived from closed-source custom Mimikatz modifications, observed in other cyberespionage activity such as Operation Soft Cell and Operation Tainted Love. The research hints at the involvement of a "digital quartermaster," who may be responsible for the development and maintenance of these custom tools, subsequently distributing them within the Chinese APT ecosystem.

The presence and use of unique Mimikatz modifications, referred to collectively as mimCN, along with instructions for their execution by separate teams, suggest a centrally managed operation. The I-Soon leak has reportedly corroborated the role of such vendors or digital quartermasters in facilitating these cyberespionage operations.

Additionally, the campaign underlines the strategic threat posed by Chinese cyberespionage groups to European entities. These groups continue to focus on high-value targets, often breaching organisations that provide data and cybersecurity solutions to other industries. Through this breach, attackers gain a foothold in the digital supply chain, enabling them to exert control over critical IT processes within compromised downstream entities.

SentinelLabs noted that until Operation Digital Eye, the use of Visual Studio Code for C2 purposes had been relatively rare. This campaign marks the first direct instance observed of a suspected Chinese APT group employing this technique. The study urges organisations to re-evaluate traditional security approaches, calling for the implementation of robust detection mechanisms capable of identifying such evasive techniques in real time.

By leveraging trusted development tools and infrastructure such as Microsoft Azure, the cyber actors utilised widespread technologies, which are often not subjected to close scrutiny by security teams. This presents a growing challenge for defenders, who must consistently update their practices to combat evolving threats.

Tinexta Cyber and SentinelLabs have notified Microsoft about the reported abuse of Visual Studio Code and Azure infrastructure associated with Operation Digital Eye.