Chinese espionage targets European IT providers in new wave

Details have emerged regarding "Operation Digital Eye," a Chinese cyberespionage campaign targeting IT service providers in Southern Europe.

The campaign, coordinated by suspected China-nexus threat actors, attempted to infiltrate digital supply chains and was revealed by SentinelLabs and Tinexta Cyber. The operation aimed at infiltrating large business-to-business IT service providers, potentially affecting downstream organisations they serve, according to the researchers.

Operation Digital Eye, taking place from late June to mid-July 2024, highlighted the strategic and persistent threat posed by Chinese cyberespionage groups to European entities. "The relationships between European countries and China are complex, characterised by cooperation, competition, and underlying tensions in areas such as trade, investment, and technology," said the researchers. They added that China-linked groups often target organisations across Europe to gather intelligence and gain competitive advantages.

The exact group behind the operation remains unclear due to the extensive sharing of malware, operational playbooks, and infrastructure management within the Chinese threat landscape. Researchers noted, "The threat actors used a pass-the-hash capability, likely originating from the same source as closed-source custom Mimikatz modifications observed exclusively in suspected Chinese cyberespionage activities."

The campaign used Visual Studio Code Remote Tunnels for command and control purposes. Originally designed for remote development, this technology is appealing for its ability to provide full endpoint access and evade detection. The threat actors also leveraged Microsoft Azure infrastructure, exploiting trusted development tools to disguise malicious activities as legitimate.

The researchers have notified Microsoft about the abuse of their Visual Studio Code and Azure infrastructure in connection with this campaign. The use of Visual Studio Code for such purposes marks a first for a suspected Chinese APT group as observed directly by SentinelLabs.

The operation revealed the involvement of a possible shared vendor or digital quartermaster, as highlighted by the i-Soon leak. This entity is thought to maintain and update malware, evidenced by the Pass-the-hash malware used, akin to previous campaigns such as Operation Soft Cell and Operation Tainted Love. These modifications, known as mimCN, suggest a continuum in developing and provisioning tools used by Chinese espionage actors.

Operation Digital Eye underscores the ongoing cyber threat posed to European entities, with Chinese APT actors focusing on high-value targets. Breaching organisations that manage data, infrastructure, and cybersecurity solutions expands the attackers' reach into the digital supply chain.

The report indicates a growing need for organisations to reassess security strategies, as leveraging trusted tools like Visual Studio Code makes detection difficult. "The exploitation of widely used technologies, which security teams may not scrutinise closely, presents a growing challenge for organisations," the alert stated.

Defenders are urged to implement robust detection mechanisms able to identify such evasive techniques in real time. The observed tactics, coupled with possible shared resources described in this campaign, suggest the critical role of centralised entities providing updated tools and strategies for Chinese cyberespionage groups.