Skip links

How do China’s cyber-spies snoop on governments, NGOs? Probably like this

A China-backed crew is said to be running a global espionage campaign against governments, religious groups, and non-governmental organizations (NGOs) by, in some cases, possibly exploiting a vulnerability in Microsoft Exchange servers.

+Symantec’s Threat Hunter Team said the campaign, which aims to spy on targeted victims and steal information, likely started in mid-2021, with the most recent activity detected in February. It may still be going on, the researchers observed in a report this week.

The Threat Hunter Team team is attributing the attacks to Cicada, also known as APT10 – a group that has been operating for more than a decade and that intelligence agencies in the US have linked to China’s Ministry of State Security. The researchers are pointing at Cicada because a custom loader and custom malware that have been used exclusively by the group were found in victims’ networks.

The attacks have hit countries all over the world – including the United States, Canada, Italy, India, and Hong Kong.

“The wide number of sectors and geographies of the organizations targeted in this campaign is interesting,” the researchers wrote.

“Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies, though in more recent times it has been linked to attacks on managed service providers (MSPs) with a more global footprint. However, this campaign does appear to indicate a further widening of Cicada’s footprint.”

In some cases, Cicada’s activities on targets’ networks is first detected on Exchange servers, which could indicate the hackers were exploiting an unpatched vulnerability in Microsoft’s software. Once in a system, the group unfurls a collection of tools – including a custom loader that was deployed in a previous attack by Cicada, according to the researchers.

The intrusions also involve the installation of the Sodamaster backdoor – again a tool believed to be used exclusively by Cicada. Sodamaster is a fileless Windows malware and a custom Mimikatz loader, which also drops in other payloads to grab credentials in plain text for users that access the compromised host and ensure persistence across reboots.

Sodamaster, which Cicada has been using since at least 2010, performs a number of functions, including finding the username, hostname and operating system of the targeted machines, searching for running processes, and downloading and running additional malicious payloads. It also can obfuscate and encrypt traffic that is sent back to its command-and-control (C2) server.

The backdoor also is able to evade detection through a sandbox by checking for a registry key or delaying the execution of its functions.

Cicada can also gain access to a victim’s network by exploiting a legitimate VLC Media Player – an open source tool that plays most multimedia files, DVDs, audio CDs, VCDs and streaming media. Leveraging the VLC player, the threat group launches a custom loader through the VLC Exports function and uses a WinVNC server to gain remote control of the compromised system.

The attackers also use the RAR archiving tool to compress, encrypt, or archive files – likely for exfiltration purposes. They employ Microsoft’s WMIExec command-line product for executing commands on remote computers, as well as the open source NBTScan which scans for open NETBIOS nameservers and can be used to run internal reconnaissance on a hijacked system. Finally the threat group deploys code to tell them what systems and services are connected to an infected machine.

The nature of the campaign indicates that it comes from a highly sophisticated and experienced group backed by a country, according to Symantec.

“The targeting of multiple large organizations in different geographies at the same time would require a lot of resources and skills that are generally only seen in nation-state backed groups and it shows that Cicada still has a lot of firepower behind it when it comes to its cyber activities,” the researchers wrote. ®