A Chinese state-backed advanced persistent threat (APT) group is attacking organizations around the globe in a likely espionage campaign that has been ongoing for several months.
Victims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America. The wide number of sectors and geographies of the organizations targeted in this campaign is interesting. Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies, though in more recent times it has been linked to attacks on managed service providers (MSPs) with a more global footprint. However, this campaign does appear to indicate a further widening of Cicada’s targeting.
The attribution of this activity to Cicada is based on the presence on victim networks of a custom loader and custom malware that are believed to be exclusively used by the APT group.
While Cicada has been linked to espionage-style operations dating back to 2009, the earliest activity in this current campaign occurred in mid-2021, with the most recent activity seen in February 2022, so this is a long-running attack campaign that may still be ongoing, researchers from Symantec, a division of Broadcom, have found.
Activity on infected networks
In several cases, the initial activity on victim networks is seen on Microsoft Exchange Servers, suggesting the possibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.
Once the attackers have successfully gained access to victim machines we observe them deploying various different tools, including a custom loader and the Sodamaster backdoor. The loader deployed in this campaign was also deployed in a previous Cicada attack.
Sodamaster is a known Cicada tool that is believed to be exclusively used by this group. It is a fileless malware that is capable of multiple functions, including evading detection in a sandbox by checking for a registry key or delaying execution; enumerating the username, hostname, and operating system of targeted systems; searching for running processes, and downloading and executing additional payloads. It is also capable of obfuscating and encrypting traffic that it sends back to its command-and-control (C&C) server. It is a powerful backdoor that Cicada has been using since at least 2020.
In this campaign, the attackers are also seen dumping credentials, including by using a custom Mimikatz loader. This version of Mimikatz drops mimilib.dll to obtain credentials in plain text for any user that is accessing the compromised host and provides persistence across reboots.
The attackers also exploit the legitimate VLC Media Player by launching a custom loader via the VLC Exports function, and use the WinVNC tool for remote control of victim machines.
Other tools utilized in this attack campaign include:
- RAR archiving tool - can be used to compress, encrypt, or archive files, likely for exfiltration.
- System/Network discovery - a way for attackers to determine what systems or services are connected to an infected machine.
- WMIExec - Microsoft command-line tool that can be used to execute commands on remote computers.
- NBTScan - an open-source tool that has been observed being used by APT groups to conduct internal reconnaissance within a compromised network.
The victims in this campaign appear to primarily be government-related institutions or NGOs, with some of these NGOs working in the fields of education and religion. There were also victims in the telecoms, legal, and pharmaceutical sectors.
The victims are spread through a wide number of regions including the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. There is also just one victim in Japan, which is notable due to Cicada’s previous strong focus on Japanese-linked companies.
The attackers spent as long as nine months on the networks of some victims.
The victims targeted, the various tools deployed in this campaign, and what we know of Cicada’s past activity all indicate that the most likely goal of this campaign is espionage. Cicada activity was linked by U.S. government officials to the Chinese government in 2018.
Significance of this activity
This is a long-running campaign from a sophisticated and experienced nation-state-backed actor that may still be ongoing, as the most recent activity we saw in this campaign was in February 2022. The targeting of multiple large organizations in different geographies at the same time would require a lot of resources and skills that are generally only seen in nation-state backed groups, and shows that Cicada still has a lot of firepower behind it when it comes to its cyber activities.
For the latest protection updates, please visit the Symantec Protection Bulletin.
Indicators of Compromise (IOCs)
If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.
We encourage you to share your thoughts on your favorite social platform.