McAfee has discovered a complex, long-running cyberespionage campaign. For years, the adversary has been able to exfiltrate network data. Operation Harvest is the name of the cyberespionage campaign.
The cyberespionage campaign derives its name its goal of stealing sensitive information from company networks and exploit it for strategic military goals afterwards. The threat actors appear to be highly sophisticated and experienced, using a mix of old and new malware packages. The intrusion started with initial access vectors and then moved laterally across the network by abusing privilege escalation to steal credentials.
While some of the approaches employed were common, the attackers also deployed some novel backdoors and malware variants.
The stolen data most likely contained intellectual property that the adversaries might profit from financial dealings.
Long-term cyberespionage operations and covert information heists are two traits frequently associated with threat actors backed by China. The threat actor, according to experts, is linked to Beijing.
This current technique, which is linked to the Winnti Group, is described in a 2017 report by Trend Micro. The payload deployed belongs to Winnti, according to McAfee experts.
However, a comparison of the techniques, sub-techniques, timestamps, and historical artefacts indicates that APT27 and APT41 groups are most likely responsible for the campaign.
This campaign emphasises the challenges in detecting attacks by highly competent APT groups. As a result, countering such attacks necessitates a multi-layered, proactive approach. The threat group has clearly been improving its abilities and evolving its TTPs over time. Researchers have ascribed this attack to Chinese state-sponsored threat actors with high confidence.