Full Report
Operation Digital Eye, a suspected China-nexus cyberespionage campaign, targeted business-to-business IT service providers in Southern Europe from late June to mid-July 2024. The attacks aimed to establish strategic footholds for further compromise of downstream entities. Thre...
Analysis Summary
# Threat Actor: Suspected China-Nexus APT (Associated with Operation Digital Eye)
## Attribution & Identity
* **Identification:** Suspected China-nexus cyberespionage actor.
* **Known Aliases:** Not explicitly named in the provided context, referred to generically as a "State-Sponsored APT."
## Activity Summary
The actor was behind **Operation Digital Eye**, a cyberespionage campaign running from late June to mid-July 2024. The objective was to gain strategic footholds within business-to-business IT service providers for subsequent compromise of their downstream clients (supply chain targeting).
## Tactics, Techniques & Procedures
* **Initial Access:** SQL injection vulnerabilities exploited via the **sqlmap** tool on internet-facing web servers.
* **Persistence/Execution:** Deployment of a custom PHP-based webshell named **PHPsert**, utilizing obfuscation (XOR encoding) and localized filenames.
* **Trusted Technology Abuse:** Exploitation of **Microsoft Visual Studio Code's Remote Tunnels** feature to establish backdoor access, full command execution, and file manipulation.
* **Lateral Movement/Credential Theft:** Use of **RDP** and **pass-the-hash** techniques. Employed a modified Mimikatz variant (**bK2o.exe**) to directly overwrite LSASS memory and exploit NTLM hashes. Used **CreateDump** to extract LSASS memory.
* **Data Exfiltration:** Used commands like `reg save` to exfiltrate data from the Security Account Manager (SAM) database.
* **Defense Evasion:** Deployed a modified Visual Studio Code executable (`code.exe`) as a persistent service using `winsw` configuration files. Used specific, disguised file naming conventions (e.g., `do.*`).
## Targeting
* **Sectors:** Business-to-business IT service providers.
* **Geography:** Southern Europe.
* **Victims:** Downstream entities of the compromised IT service providers (strategic targeting).
## Tools & Infrastructure
* **Malware Families Used:** PHPsert (custom PHP webshell), bK2o.exe (custom Mimikatz variant).
* **Infrastructure (C2, Domains, IPs):** Relied on **Microsoft Azure** and **M247 services** for C2 infrastructure, deliberately placing infrastructure within Europe to blend traffic.
## Implications
This operation signifies a high-stakes strategic intrusion targeting the IT supply chain in Southern Europe. The reliance on abusing legitimate, trusted technologies like Visual Studio Code Tunnels and Azure for C2 poses a significant challenge to traditional perimeter and application-level defenses.
## Mitigations
* Strictly monitor and restrict the use of developer tools (like Visual Studio Code) for non-trusted administrative purposes, especially Remote Tunnel configurations.
* Implement robust monitoring for LSASS memory access operations and unusual process lineage involving developer tools or services.
* Apply behavior-based detection for NTLM hash exploitation indicators (e.g., credential dumping techniques).
* Patch known SQL injection vulnerabilities immediately across all public-facing web assets.