Full Report
The cybersecurity firm did not name the company but said the attack was “likely carried out by a China-based threat actor, since some of the tools used in this attack have been previously associated with Chinese attackers.”
Analysis Summary
# Threat Actor: China-based Threat Actor (Likely State-Sponsored Espionage Group)
## Attribution & Identity
* **Attribution:** Likely a China-based threat actor, based on toolset association.
* **Known Aliases and Associations:** Tools used in the attack have been previously associated with Chinese attackers. The targeted organization was also previously targeted by an attacker linked to **Daggerfly** (a Chinese government-backed hacking group). A file used was also spotlighted in campaigns by the China-based espionage group **Crimson Palace**.
## Activity Summary
* **Historical Activities:** The *current* malicious activity dates from April 2024 until August 2024. The organization targeted was also previously attacked last year by a group linked to Daggerfly. Daggerfly has been active since at least 2012.
* **Recent Campaigns:** A campaign targeting a large U.S. organization between April and August 2024. The goal was strategic intelligence gathering, involving lateral movement, compromise of Exchange Servers for email harvesting, and data exfiltration.
## Tactics, Techniques & Procedures
* Lateral movement across the victim's network.
* Compromising Exchange Servers to harvest emails (intelligence gathering).
* Deployment of data exfiltration tools.
* Use of several legitimate, trusted applications (from Google and Apple) to load malware, aiming to blend in with normal activity.
* Methodically gathering intelligence and establishing persistent access over an extended duration.
## Targeting
* **Sectors:** Not explicitly named, but the victim is described as a "large U.S. organization with a significant presence in the country." The focus on high-level internal communications suggests targets relevant to strategic intelligence.
* **Geography:** The primary victim identified is based in the **U.S.** (though the actor is China-based). Associated groups (Daggerfly) target Taiwan, an African telecommunications company, and international NGOs operating in mainland China, Hong Kong, Nigeria, Myanmar, the Philippines, Taiwan, and Vietnam.
* **Victims:** A "large U.S. organization."
## Tools & Infrastructure
* **Malware Families Used:** Not specified by name, but tools involved in lateral movement, email harvesting, and exfiltration were deployed.
* **Infrastructure:** No specific C2 domains or IPs were provided in the summary context.
## Implications
The extended duration (April to August 2024) highlights a methodical and patient intelligence-gathering operation. The focus on Exchange Servers and email harvesting suggests a strategic objective aimed at understanding business relationships and internal communications, potentially creating leverage for future operations or political intelligence. The use of legitimate applications suggests a focus on evading modern endpoint detection mechanisms.
## Mitigations
* Enhanced monitoring and segmentation around Exchange Servers for unusual activity or access patterns.
* Vigilance against the misuse of legitimate applications (Google/Apple tools) for malware delivery or loading.
* MFA and strict access controls to prevent lateral movement once initial compromise occurs.
* Proactive hunting for indicators associated with Daggerfly or Crimson Palace toolsets.