A sophisticated cyber espionage campaign, dubbed Operation Digital Eye, has been discovered targeting major B2B IT service providers in Southern Europe. The attacks, occurring between June and July 2024, were identified and stopped by SentinelOne SentinelLabs and Tinexta Cyber before data could be exfiltrated.
Key Findings:
– The attackers, believed to be Chinese state-sponsored, exploited Visual Studio Code and Microsoft Azure infrastructure for command-and-control operations
– Initial access was gained through SQL injection attacks using SQLmap
– PHPsert, a PHP-based web shell, was deployed for persistent access
– A custom version of Mimikatz (dubbed mimCN) was used for lateral movement
– Visual Studio Code Remote Tunnels were weaponized for remote command execution
Technical Indicators of Chinese Origin:
– Simplified Chinese comments in malware code
– Activity patterns matching Chinese working hours (9 AM – 9 PM CST)
– Use of M247 Romanian hosting infrastructure
– Code similarities with previous Chinese cyber operations
– Shared characteristics with tools used in Operations Soft Cell and Tainted Love
Attack Methodology:
1. Initial breach via SQL injection
2. Web shell deployment
3. Network reconnaissance
4. Credential harvesting
5. Lateral movement using RDP and pass-the-hash techniques
6. Command execution through SSH and VS Code Remote Tunnels
The campaign highlights a strategic threat to digital supply chains, as compromising IT service providers could potentially affect numerous downstream clients. The attackers’ use of legitimate development tools and infrastructure demonstrates an sophisticated approach to evading detection.