Broadcom’s security subsidiary Symantec has named a China-linked hacking gang known as “APT 10” and “Cicada” as the probable source of a year-long attack on Japanese interests around the world.
Symantec’s analysis of the campaign detailed how APT 10 used custom malware named Backdoor.Hartip, plus more prosaic methods such as DLL side-loading and the ZeroLogon vuln that the US Cybersecurity and Infrastructure Security Agency considered sufficiently serious to justify an unusual hurry-up-and-patch-ASAP warning notice.
Cicada may even have used those tools within China, an unusual act as criminal hacking gangs are generally happiest operating outside their own territory. Symantec suggests Cicada did so because its mission was to hit Japanese companies’ operations around the world and suck out data about their operations – especially from automotive companies. Firms in the fields of electronics, engineering, manufacturing, pharmaceuticals, and professional services were also among the targets.
The attack ranged across South-East Asia and stretched into Europe, North America, and even had a crack in the United Arab Emirates.
Hey China, while you’re in all our servers, can you fix these support tickets? IBM, HPE, Tata CS, Fujitsu, NTT and their customers pwned
Symantec detected the attack after noticing DLL side-loading at one customer and, upon investigation, observed similar actions around the world.
Once target networks had been compromised, Symantec observed abuse of local Active Directory implementations, credential theft, and archiving of files before their exfiltration to public clouds.
Some of the efforts involved obfuscation techniques and shellcode on loader DLLs that Symantec has seen Cicada use in past attacks, leading the firm to name the gang with “medium confidence”. Allegations of Cicada/APT10’s links to China were made by the US Department of Justice in 2018, when it was alleged that IBM and HPE were among the gang’s victims. ®