Symantec: Chinese APT Group Targeting Global MSPs

Malware hunters at Broadcom’s Symantec division have spotted signs that a long-running cyberespionage campaign linked to Chinese nation-state hackers is now going after managed service providers (MSPs) with a more global footprint.

In a report issued Tuesday, Symantec said it observed a group known as Cicada (APT10, Stone Panda) expanding its target list to include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America. 

The company noted that Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies but warned that the group is now hitting managed service providers (MSPs) around the world. 

In several newer cases, Symantec’s researchers found evidence that Microsoft Exchange Servers are an entry point for the attackers, suggesting the possibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.

[ READ: Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese APT ]

“Once the attackers have successfully gained access to victim machines we observe them deploying various different tools, including a custom loader and the Sodamaster backdoor. The loader deployed in this campaign was also deployed in a previous Cicada attack,” Symantec added.

Sodamaster is described as a powerful backdoor used exclusively by this Chinese APT group to evade detection in a sandbox, searching for running processes, and downloading and executing additional payloads.

The backdoor is also capable of obfuscating and encrypting traffic that it sends back to its command-and-control (C&C) server.

Symantec also observed the attackers dumping credentials with a custom Mimikatz loader and exploiting a legitimate VLC Media Player by launching a custom loader via the VLC Exports function, and then using the WinVNC tool for remote control of victim machines.

[ READ: U.S. Olympians Told to Use ‘Burner Phones’ in China ]

“The victims in this campaign appear to primarily be government-related institutions or NGOs, with some of these NGOs working in the fields of education and religion. There were also victims in the telecoms, legal, and pharmaceutical sectors,” Symantec said.

The victims are spread through a wide number of regions including the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. There is also just one victim in Japan, which is notable due to Cicada’s previous strong focus on Japanese-linked companies.

Symantec noted that the attackers spent as long as nine months on the networks of some victims.

“The targeting of multiple large organizations in different geographies at the same time would require a lot of resources and skills that are generally only seen in nation-state backed groups, and shows that Cicada still has a lot of firepower behind it when it comes to its cyber activities,” the company said.

Related: Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese APT

Related: Facebook Disrupts Chinese Spies Using iPhone, Android Malware

Related: New Modem Wiper Malware May be Connected to Viasat Hack

Related: CashApp Says Ex-Employee Stole Customer Stock Trading Data