CyberWire Daily – Episode Summary: A Digital Eye on Supply-Chain-Based Espionage Attacks

Release Date: February 1, 2025
Podcast: CyberWire Daily by N2K Networks
Episode: A Digital Eye on Supply-Chain-Based Espionage Attacks [Research Saturday]

Introduction

In this episode of CyberWire Daily, host Dave Bittner engages in an in-depth discussion with Juan Andres Guerrero Sade, also known as "Jags" from Sentinel One. The focus of their conversation is on recent research surrounding Operation DigitalEye, a sophisticated cyber espionage campaign targeting critical digital infrastructure. This episode delves into the methods employed by the attackers, the evolution of related operations, and the broader implications for cybersecurity.

Overview of Operation DigitalEye

Operation DigitalEye represents the latest iteration in a series of cyber espionage campaigns attributed to Chinese Advanced Persistent Threat (APT) groups. Initially alerted by researchers Alexander Milinkovsky and Luigi Martiere from Tenexta Cyber, this operation underscores the persistent and evolving nature of Chinese cyber threats targeting critical sectors such as telecommunications and B2B IT infrastructure.

Juan Andres Guerrero Sade [02:19]: "Operation digitaleye is a kind of interesting next chapter in this sort of continuum of research that we've been working around, this kind of vague apt team somewhere in the general Chinese cluster."

Evolution from Operation Soft Sell and Tainted Love

Operation DigitalEye is part of a continuum that includes previous campaigns named Operation Soft Sell and Operation Tainted Love. These operations have demonstrated a pattern of targeting telecommunications and critical infrastructure, with each new campaign building upon the techniques and tools developed in its predecessors.

Juan Andres Guerrero Sade [13:11]: "When you're talking about the Chinese APT ecosystem, and you already mentioned this notion of digital quartermasters and shared vendors, can you help us understand what your perception is of how that works?"

Techniques Employed: Visual Studio Code Remote Tunnels

A standout feature of Operation DigitalEye is the attackers' use of Visual Studio Code (VS Code) remote tunnels for command and control (C2). By leveraging a trusted and widely used development environment, the attackers disguise their malicious traffic, making it exceedingly difficult to detect.

Dave Bittner [03:36]: "Attackers have clearly figured that part out as they took to using the novel technique of taking this Visual Studio code IDE and abusing one of its native features."

The use of VS Code remote tunnels allows attackers to:

• Bypass Firewalls: Since VS Code is a trusted tool, its traffic often receives lenient treatment through network defenses.
• Blend with Legitimate Traffic: C2 communications are masked alongside regular development traffic, evading traditional network-based detection mechanisms.

Dave Bittner [04:13]: "They abuse this remote tunnel's capability in order to actually disguise their command and control traffic through the allowances that you would normally make for this."

Use of Custom Mimikatz Modifications

Another critical aspect of Operation DigitalEye is the deployment of customized versions of Mimikatz for pass-the-hash (PtH) attacks. By modifying this widely known credential extraction tool, the attackers enhance their ability to move laterally within victim networks undetected.

Dave Bittner [07:23]: "The attackers have kept modifying [Mimikatz], improving it, changing it to their own liking, and in some cases even adding custom messaging in Chinese for what we assume are other teams that are also working with their tools."

These modifications indicate a level of sophistication aimed at sustaining long-term access and avoiding detection by blending with legitimate security tools.

Infrastructure Strategies to Evade Detection

Operation DigitalEye's infrastructure strategy involves registering their C2 servers on Microsoft Azure and utilizing European-based infrastructure. This approach serves two primary purposes:

1. Legitimacy: Leveraging trusted cloud services makes it challenging for defenders to flag the traffic as malicious.
2. Geographical Proximity: Hosting infrastructure closer to the target region reduces the likelihood of triggering geopolitical red flags, thereby avoiding heightened scrutiny.

Dave Bittner [08:52]: "The attackers are registering their command and control infrastructure on Azure Cloud. This makes their connections seem innocuous as they appear to originate from trusted Microsoft-owned cloud infrastructure."

Chinese APT Ecosystem's Fluid Structure

The discussion highlights the fluid and interconnected nature of the Chinese APT ecosystem. Unlike more rigidly structured state-sponsored groups, Chinese threat actors exhibit a high degree of collaboration and tool-sharing, complicating attribution and defense efforts.

Dave Bittner [15:36]: "There's a lot of these teams that are harder to characterize because of some of the tooling that they're using and some of the techniques."

This fluidity allows for rapid adaptation and the seamless integration of new tools and methods across different APT groups, enhancing their overall effectiveness and persistence.

Detection and Mitigation Challenges

Detecting and mitigating operations like DigitalEye presents significant challenges. Traditional network-based defense mechanisms struggle to identify such sophisticated and stealthy attacks, especially when legitimate tools like VS Code are exploited.

Dave Bittner [17:35]: "For anybody, you know, any astute readers paying attention to the research, it really wouldn't help you too much to focus too much on the network resources."

The reliance shifts heavily towards endpoint protection and behavioral analytics, as network-level monitoring alone becomes insufficient against these advanced tactics.

Implications for Developers and Supply Chain Security

The episode underscores the precarious position of developers who rely on trusted tools like Visual Studio Code. The potential for these tools to be compromised highlights the vulnerability of the software supply chain.

Dave Bittner [19:20]: "There's a very laissez faire kind of approach to how these tools use plugins. So for example, VS Code has its own plugin marketplace... There's a heavy reliance on whether you have good stewardship from Microsoft to vet that code doesn't become a vector for a supply chain attack."

This situation necessitates stringent policies and enhanced vigilance in monitoring the behavioral aspects of development tools to prevent supply chain compromises.

Key Takeaways and Conclusions

Operation DigitalEye serves as a stark reminder of the sustained and evolving threat posed by Chinese APT groups targeting critical infrastructure. The key takeaways from the discussion include:

1. Sophisticated Evasion Techniques: Leveraging trusted development environments and cloud services to mask malicious activities makes traditional defenses inadequate.
2. Interconnected APT Ecosystem: The fluid and collaborative nature of Chinese APT groups complicates attribution and requires a more nuanced defense strategy.
3. Reliance on Endpoint Protection: Effective detection of such advanced threats necessitates robust endpoint security solutions and comprehensive behavioral analytics.
4. Supply Chain Vulnerabilities: The compromise of development tools like VS Code highlights the need for heightened supply chain security measures and vigilant oversight of software dependencies.

Dave Bittner [22:02]: "There is a sustained effort with specific Chinese APT teams that are primarily interested in being there. And that's for good reason... We just pay them and hope that they're protecting us."

The episode calls for increased awareness and proactive measures to safeguard critical infrastructure and the broader digital ecosystem from such pervasive and stealthy threats.

Conclusion

"A Digital Eye on Supply-Chain-Based Espionage Attacks" provides a comprehensive analysis of the latest Chinese APT operations targeting essential digital infrastructure. Through detailed exploration of Operation DigitalEye's methodologies and the broader APT landscape, listeners gain valuable insights into the challenges and necessities of modern cybersecurity defenses.

Produced by Liz Stokes, mixed by Elliot Peltzman and Trey Hester, and executive produced by Jennifer Ibin. Executive Editor: Brandon Karp. President: Simone Petrella. Publisher: Peter Kilpe.