Earlier this year, a major U.S. organization was the target of a suspected Chinese threat actor. The malicious activity was first discovered on April 11, 2024, and it persisted until August.
Although the organization's name was kept a secret, it is well-known in China. The attack uses living-off-the-land (LotL) tools like Windows Management Instrumentation (WMI), PsExec, and PowerShell in addition to open-source tools like FileZilla, Impacket, and PSCP. The attackers downloaded programs like Filezilla and WinRAR, stole credentials, and executed malicious payloads using DLL side-loading.
Orange Cyberdefense described the private and public relationships within the Chinese cyber offensive ecosystem at the time of the development. The company emphasized the role that hack-for-hire contractors and universities play in conducting security research and carrying out attacks at the behest of state agencies. It claimed that in order to conceal the attribution of their campaigns to the Chinese government, fraudulent businesses register as fraudulent businesses.
The fictitious businesses might assist in obtaining the digital infrastructure required to carry out the cyberattacks without attracting unwanted attention. In a recent report on the Chinese threat ecosystem, Orange Cyber Defense stated, "They also act as fronts for hiring personnel for roles that support hacking operations." "It stated that people connected to [People's Liberation Army] or [Ministry of State Security] units frequently register fictitious businesses. It went on, "These phony businesses ...
engage in no real profit-driven activities." "They also help to acquire the digital infrastructure required to carry out the attacks."