Chinese hackers have been running riot on unsecured Windows devices

News
By published

State-sponsored actors stealing proprietary data, experts warn

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Researchers from Cybereason have uncovered a new espionage campaign that’s been active for at least three years and includes new malware strains, rarely-seen abuse of certain Windows features, and a “complex infection chain”.

According to the company's report, a Chinese state-sponsored actor known as Winnti (aka APT 41, BARIUM, or Blackfly) has been targeting numerous technology and manufacturing companies in North America, Europe, and Asia since, at least, 2019.

The goal was to identify and exfiltrate sensitive data, such as intellectual property developed by the victims, sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data. The researchers believe the attackers stole hundreds of gigabytes of valuable intel.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Rarely seen abuse

This data also helped the attackers map out their victims’ networks, organizational structure, as well as endpoints, giving them a head start, should they decide to escalate things further (for example, with ransomware).

In its campaign, Winnti advanced persistent threat actor deployed new versions of already known malware (Spyder Loader, PRIVATELOG, and WINNKIT), but it also deployed previously unknown malware - DEPLOYLOG.

To deploy the malware, the group opted for a “rarely seen” abuse of the Windows CLFS Feature, the researchers said. Apparently, the group leveraged the Windows CLFS (Common Log File System) mechanism and NTFS transaction manipulations, allowing it to hide the payloads and evade being detected by security products.

Read more

> Indian power grid reportedly hit by Chinese cyberattacks

> Google says Chinese hackers are targeting US government Gmail accounts

> China says Walmart has some serious security flaws

The payload delivery itself was described as “intricate and interdependent”, resembling a house of cards. As a result, it was very difficult for researchers to analyze each component separately. 

Still, they managed to piece the puzzle together, and are claiming the Winnti malware arsenal includes Spyder (a sophisticated modular backdoor), STASHLOG (the initial deployment tool that “stashes” payloads in Windows CLFS), SPARKLOG (extracts and deploys PRIVATELOG to escalate privileges and achieve persistence on the target endpoint), PRIVATELOG (extracts and deploys DEPLOYLOG), and DEPLOYLOG (deploys the WINNKIT rootkit). Finally, there’s WINNKIT, the Winnti kernel-level rootkit.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
China
Chinese hackers develop effective new hacking technique to go after business networks
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
China
Microsoft says Chinese Silk Typhoon hackers are targeting cloud and IT apps to steal business data
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
China-linked cyberespionage group PlushDaemon used South Korean VPN service to inject malware
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
A major FBI operation has deleted Chinese malware from thousands of US computers
Latest in Security
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Data leak
Top collectibles site leaks personal data of nearly a million users
Spyware
Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
Latest in News
Citroen 2CV
The retro EV resurgence is in full swing, as Citroen confirms the iconic 2CV will return with batteries
Hugging Snap
This AI app claims it can see what I'm looking at – which it mostly can
Apple iPhone 16 Pro Max REVIEW
The latest batch of leaked iPhone 17 dummy units appear to show where glass meets metal on the new designs
Hornet swings their weapon in mid air
Hollow Knight: Silksong could potentially launch this year and I reckon it could be a great game for an Xbox handheld
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Cassian looking at someone off-camera from a TIE fighter cockpit in Andor season 2
Star Wars: Andor creator is taking a stance against AI by canceling plans to release its scripts, and I completely get why
More about security
ransomware avast

Ransomware attacks are costing Government offices a month of downtime on average
Data leak

Top collectibles site leaks personal data of nearly a million users
Someone looking at a marketing graph

Why ‘boring’ tech will be 2025's biggest marketing trend
See more latest
Most Popular
Mark S and Helly R standing by their desks bathed in blue light in Severance's season 2 finale
Severance season 2 episode 10 ending explained: what does Mark do, who dies, will there be a season 3, and more big questions answered
YouTube Premium
Would you pay for better sound on YouTube? The video-sharing platform could soon let you control audio quality, but it'll cost you
Hugging Snap
This AI app claims it can see what I'm looking at – which it mostly can
Citroen 2CV
The retro EV resurgence is in full swing, as Citroen confirms the iconic 2CV will return with batteries
I Hate This Place artwork
Bloober Team is keeping busy as it announces its next survival horror game I Hate This Place and offers a new look at its upcoming title Cronos: The New Dawn
Equal1 Bell-1 quantum computer
This is the first quantum computer you can actually buy (and use, and power): Equal1's Bell-1 uses a standard power socket
Ryzen AI Max+ 395
Obscure Chinese PC vendor gets preferential AMD treatment as Lisa Su signs first desktop PC with Ryzen AI Max+ 395 ahead of May launch
Apple iPhone 16 Pro Max REVIEW
The latest batch of leaked iPhone 17 dummy units appear to show where glass meets metal on the new designs
SanDisk Slim Dual Drive
This is the first 2TB dual-port external SSD ever and it's not as expensive as you may think
Bimawen B15.6 TV Pro
A sign of things to come? This portable monitor comes with Google TV, a remote control and a very well hidden Android PC