U.S. org suffered four month intrusion by Chinese hackers

A large U.S. organization with significant presence in China has been reportedly breached by China-based threat actors who persisted on its networks from April to August 2024.

According to Symantec’s threat researchers, the operation appeared to focus on intelligence gathering, involving multiple compromised machines and targeting Exchange Servers, likely for email and data exfiltration.

The researchers did not explicitly name the breached U.S. organization but mentioned that the same entity was targeted by the China-based ‘Daggerfly’ threat group in 2023.

Attack timeline

Although the intrusion might have started earlier, Symantec’s visibility into the incident began on April 11, 2024, when suspicious Windows Management Instrumentation (WMI) commands and registry dumps were executed.

The initial infection vector remains unknown, but Symantec was able to observe PowerShell execution to query Active Directory for service principal names (SPNs) and Kerberos tokens, a technique known as ‘Kerberoasting.’

On June 2, the threat actors pivoted to a second machine and used a renamed FileZilla component (putty.exe), likely for data exfiltration, which was later facilitated by PowerShell, WinRAR, and a PSCP client.

On that machine, the threat actors used the files ‘ibnettle-6.dll’ and ‘textinputhost.dat’ for persistence, which have been previously seen (by Sophos and RecordedFuture) in attacks conducted by the Chinese threat group ‘Crimson Palace.’

Around the same time, the attackers infected two additional machines where they secured persistence through registry manipulation, and which they used for surveillance and lateral movement.

On those, the hackers used WMI to query Windows Event Logs for logons and account lockouts, PowerShell for testing network connectivity like RPC on port 135 and PDR on port 3389, and PsExec to query domain groups, including Exchange servers.

Finally, on June 13, a fifth machine in the organization was compromised, where the attackers launched ‘iTunesHelper.exe’ to sideload a malicious DLL (‘CoreFoundation.dll’) for payload execution.

An interesting aspect of the attack is that the hackers assigned distinct roles in each of the breached machines and followed a structured approach that allowed them to persist and gather intelligence systematically.

Attribution based on previous activity against the targeted organization and files is weak.

However, Symantec also notes that extensive use of “living off the land” tools like PsExec, PowerShell, WMI, and open-source tools like FileZilla, Impacket, and PuTTY SSH aligns with Chinese hacker tactics.