A China-linked cyber espionage group has been attributed to a series of sophisticated cyberattacks targeting business-to-business IT service providers in Southern Europe. The campaign, codenamed Operation Digital Eye, was carried out from late June to mid-July 2024. Although the attacks were neutralized before progressing to data exfiltration, the adversaries had successfully exploited vulnerabilities to establish footholds in their targets’ networks. The intrusions aimed to compromise downstream entities by breaching IT service providers that support critical sectors, allowing the threat actors to access a wider range of data and infrastructure.
Central to the attacks was the weaponization of Microsoft Visual Studio Code Remote Tunnels, a legitimate feature typically used for remote development. The attackers exploited these tunnels for command-and-control (C2) activities, which allowed them to execute arbitrary commands, manipulate files, and move laterally across systems. By blending their malicious activities with the regular network traffic associated with this widely used development tool, the attackers were able to evade detection, making the attacks harder to identify and block.
The attack chain began with SQL injection, a common method for gaining unauthorized access to internet-facing applications and database servers. The threat actors used SQLmap, a legitimate penetration testing tool, to automate the detection and exploitation of SQL injection flaws. Once inside the target network, they deployed a PHP-based web shell, PHPsert, to maintain access and ensure persistence. From there, the attackers conducted reconnaissance, harvested credentials, and leveraged techniques such as pass-the-hash and modified versions of Mimikatz to escalate privileges and access sensitive systems within the network.
Researchers noted several indicators linking the attackers to previous Chinese cyber espionage activities, including the use of custom Mimikatz tools, shared infrastructure, and code-signing certificates. Additionally, simplified Chinese comments were found in the PHPsert tool, further suggesting a connection to Chinese state-backed actors. The campaign demonstrated a calculated approach, using public cloud infrastructure and trusted development tools to avoid detection, and underscored the growing sophistication of Chinese cyber espionage groups in targeting critical sectors and their supply chains.
Reference:
