A sophisticated cyber attack, likely of Chinese origin, targeted a major U.S. organization with significant Chinese presence from April to August 2023. Symantec’s Threat Hunter Team discovered the intrusion, which may have begun earlier than detected.
Key Points:
– Attackers compromised multiple computers, including Exchange Servers
– Evidence suggests email harvesting and data exfiltration
– Attack methodology included:
* DLL side-loading (common Chinese threat actor technique)
* Open-source tools (FileZilla, Impacket, PSCP)
* Living-off-the-land tools (WMI, PsExec, PowerShell)
The attack shares similarities with “Crimson Palace” operation and previous intrusions by Daggerfly (also known as Bronze Highland, Evasive Panda, StormBamboo). Initial access vector remains unknown, but evidence indicates pre-existing network compromise.
The attackers specifically targeted Exchange servers for email data collection and exfiltration. This aligns with typical Chinese cyber offensive operations, where state-sponsored activities often operate through fake companies and contractors to maintain deniability.