Connect with us

Hi, what are you looking for?


Application Security

Symantec: Chinese APT Group Targeting Global MSPs

Malware hunters at Broadcom’s Symantec division have spotted signs that a long-running cyberespionage campaign linked to Chinese nation-state hackers is now going after managed service providers (MSPs) with a more global footprint.

Malware hunters at Broadcom’s Symantec division have spotted signs that a long-running cyberespionage campaign linked to Chinese nation-state hackers is now going after managed service providers (MSPs) with a more global footprint.

In a report issued Tuesday, Symantec said it observed a group known as Cicada (APT10, Stone Panda) expanding its target list to include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America. 

The company noted that Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies but warned that the group is now hitting managed service providers (MSPs) around the world. 

In several newer cases, Symantec’s researchers found evidence that Microsoft Exchange Servers are an entry point for the attackers, suggesting the possibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.

[ READ: Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese APT ]

“Once the attackers have successfully gained access to victim machines we observe them deploying various different tools, including a custom loader and the Sodamaster backdoor. The loader deployed in this campaign was also deployed in a previous Cicada attack,” Symantec added.

Sodamaster is described as a powerful backdoor used exclusively by this Chinese APT group to evade detection in a sandbox, searching for running processes, and downloading and executing additional payloads.

Advertisement. Scroll to continue reading.

The backdoor is also capable of obfuscating and encrypting traffic that it sends back to its command-and-control (C&C) server.

Symantec also observed the attackers dumping credentials with a custom Mimikatz loader and exploiting a legitimate VLC Media Player by launching a custom loader via the VLC Exports function, and then using the WinVNC tool for remote control of victim machines.

[ READ: U.S. Olympians Told to Use ‘Burner Phones’ in China ]

“The victims in this campaign appear to primarily be government-related institutions or NGOs, with some of these NGOs working in the fields of education and religion. There were also victims in the telecoms, legal, and pharmaceutical sectors,” Symantec said.

The victims are spread through a wide number of regions including the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. There is also just one victim in Japan, which is notable due to Cicada’s previous strong focus on Japanese-linked companies.

Symantec noted that the attackers spent as long as nine months on the networks of some victims.

“The targeting of multiple large organizations in different geographies at the same time would require a lot of resources and skills that are generally only seen in nation-state backed groups, and shows that Cicada still has a lot of firepower behind it when it comes to its cyber activities,” the company said.

Related: Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese APT

Related: Facebook Disrupts Chinese Spies Using iPhone, Android Malware

Related: New Modem Wiper Malware May be Connected to Viasat Hack

Related: CashApp Says Ex-Employee Stole Customer Stock Trading Data

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...