The intrusions took place from late June to mid-July 2024, cybersecurity companies SentinelOne SentinelLabs and Tinexta Cyber said in a joint report shared with The Hacker News, adding the activities were detected and neutralized before they could progress to the data exfiltration phase.
"The intrusions could have enabled the adversaries to establish strategic footholds and compromise downstream entities," security researchers Aleksandar Milenkoski and Luigi Martire said.
"The threat actors abused Visual Studio Code and Microsoft Azure infrastructure for C2 [command-and-control] purposes, attempting to evade detection by making malicious activities appear legitimate."
It's currently not known which China-linked hacking group is behind the attacks, an aspect complicated by the widespread toolset and infrastructure sharing among threat actors aligned with the East Asian nation.
Central to Operation Digital Eye is the weaponization of Microsoft Visual Studio Code Remote Tunnels for C2, a legitimate feature that enables remote access to endpoints, granting attackers the ability to execute arbitrary commands and manipulate files.
Part of why government-backed hackers use such public cloud infrastructure is so that their activity blends into the typical traffic seen by network defenders. Furthermore, such activities employ legitimate executables that are not blocked by application controls and firewall rules.
Attack chains observed by the companies entail the use of SQL injection as an initial access vector to breach internet-facing applications and database servers. The code injection is accomplished by means of a legitimate penetration testing tool called SQLmap that automates the process of detecting and exploiting SQL injection flaws.
A successful attack is followed by the deployment of a PHP-based web shell dubbed PHPsert that enables the threat actors to maintain a foothold and establish persistent remote access. Subsequent steps include reconnaissance, credential harvesting, and lateral movement to other systems in the network using Remote Desktop Protocol (RDP) and pass-the-hash techniques.
"For the pass-the-hash attacks, they used a custom modified version of Mimikatz," the researchers said. The tool "enables the execution of processes within a user's security context by leveraging a compromised NTLM password hash, bypassing the need for the user's actual password."
Substantial source code overlaps suggest that the bespoke tool originates from the same source as the ones observed exclusively in suspected Chinese cyber espionage activities, such as Operation Soft Cell and Operation Tainted Love. These custom Mimikatz modifications, which also include shared code-signing certificates and the use of unique custom error messages or obfuscation techniques, have been collectively titled mimCN.
"The long-term evolution and versioning of mimCN samples, along with notable features such as instructions left for a separate team of operators, suggest the involvement of a shared vendor or digital quartermaster responsible for the active maintenance and provisioning of tooling," the researchers pointed out.
"This function within the Chinese APT ecosystem, corroborated by the I-Soon leak, likely plays a key role in facilitating China-nexus cyber espionage operations."
Also of note is the reliance on SSH and Visual Studio Code Remote Tunnels for remote command execution, with the attackers using GitHub accounts for authenticating and connecting to the tunnel in order to access the compromised endpoint through the browser-based version of Visual Studio Code ("vscode[.]dev").
That said, it's not known if the threat actors utilized freshly self-registered or already compromised GitHub accounts to authenticate to the tunnels.
Besides mimCN, some of the other aspects that point to China are the presence of simplified Chinese comments in PHPsert, the use of infrastructure provided by Romanian hosting service provider M247, and the use of Visual Studio Code as a backdoor, the last of which has been attributed to the Mustang Panda actor.
Furthermore, the investigation found that the operators were primarily active in the targeted organizations' networks during typical working hours in China, mostly between 9 a.m. and 9 p.m. CST.
"The campaign underscores the strategic nature of this threat, as breaching organizations that provide data, infrastructure, and cybersecurity solutions to other industries gives the attackers a foothold in the digital supply chain, enabling them to extend their reach to downstream entities," the researchers said.
"The abuse of Visual Studio Code Remote Tunnels in this campaign illustrates how Chinese APT groups often rely on practical, solution-oriented approaches to evade detection. By leveraging a trusted development tool and infrastructure, the threat actors aimed to disguise their malicious activities as legitimate."