China-backed Winnti APT siphons reams of U.S. trade secrets in sprawling cyber-espionage attack

China’s Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.

That’s according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.

In addition, the attackers have harvested details about a target organization’s network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports summarizing its investigation this week.

The security vendor said it has shared its findings with the FBI, which back in 2019 had warned of China-based cyberthreat groups engaged in the massive theft of intellectual property from US firms to support the country’s “Made in China 2025” modernization initiative.

“Global manufacturers are targets of Chinese state-sponsored threat groups,” says Assaf Dahan, senior director and head of threat research at Cybereason. “Our research highlights the importance of protecting Internet-facing assets, early detection of scanning activity and exploitation attempts, the ability to detect web shell activity, persistence, reconnaissance attempts by legitimate Windows tools, credential dumping, and lateral movement attempts.”

Darren Williams, CEO, and founder at BlackFog, says the campaign that Cybereason observed highlights a recent trend involving data theft by cybergangs operating out of China. He says that new research that BlackFog recently conducted found that 20% of all ransomware attacks exfiltrate data to China. There’s also been a dramatic rise in attacks targeting the technology, manufacturing, and government sectors, he says

“We think its related to the increasing pressure from multiple nations on the manufacturing industry generally and the shift in reliance from Chinese manufacturing,” he says. “Then when you look at trade wars China has with countries like Australia, there is a general market shift happening. We think these attacks are in response and even retaliation for many of these moves.”

Winnti Stung by CuckooBees
Winnti (aka APT41, Wicked Panda, or Barium) is a threat group that has been active since at least 2010. The group is believed to be working on behalf of, or with the support of, the Chinese government. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China’s state intelligence agencies. The group has been linked to attacks in 2010 on scores of US firms (including Google and Yahoo). And in 2020, the US government indicted five members of the threat group, although the action did little to stop its activities.

Researchers from Cybereason stumbled upon the threat group’s latest campaign when investigating a 2021 intrusion at a $5 billion global manufacturing company with operations in Asia, North America, and Europe, Dahan says, and has been gathering evidence on the activity since then.

The researchers dubbed the investigation “Operation CuckooBees,” because cuckoo bees are very evasive, and the Winnti group is one of the most elusive hacking groups, Dahan explains.

To read the complete article, visit Dark Reading.