Boston-based security firm Cybereason released a report Wednesday which chronicled a “massive Chinese intellectual property theft operation” dubbed “Operation CuckooBees.”
The operation involved Chinese hackers stealing hundreds of gigabytes of high-tech intellectual property from some 30 multinational corporations, including military technology and pharmaceutical data.
Cybereason said its Nocturnus Incident Response Team discovered the hacker campaign when it was hired to “investigate multiple intrusions targeting technology and manufacturing companies in North America, Europe, and Asia” in 2021.
The team uncovered an “elusive and sophisticated cyber espionage campaign operating undetected since at least 2019,” most likely perpetrated by an Advanced Persistent Threat (APT) group called Winnti.
“Winnti, also known as APT 41, BARIUM, and Blackfly, is a Chinese state-sponsored APT group known for its stealth, sophistication, and focus on stealing technology secrets,” the report explained.
Operation CuckooBees🚨 Researchers at Cybereason have discovered a massive Chinese intellectual property theft operation assessed to be the work of Chinese APT Winnti https://t.co/DN3WNel2c8 #research #CuckooBees #Winnti pic.twitter.com/KnjgQXWYBi
— Cybereason (@cybereason) May 4, 2022
Winnti has been active since at least 2010. Cybereason’s investigators said the group employed new strains of malware for the Operation CuckooBees caper, but also used some of its tried-and-true viruses to open backdoors into targeted computer systems and slowly, quietly extract huge amounts of data.
“Over the years, there have been multiple reports and US Department of Justice (DOJ) indictments tying Winnti to large-scale IP theft operations. Cybereason researchers believe that dozens of other companies were potentially affected by this or similar campaigns carried out by Winnti,” Cybereason said.
Winnti is noted for conducting extensive reconnaissance of targeted systems before its malware is activated and data extraction begins. Cybereason said some of the data pilfered by Operation CuckoBees could be useful for facilitating future attacks.
Cybereason noted in a detailed analysis of the malware used in the attack:
Perhaps one of the most interesting and striking aspects of this report is the level of sophistication introduced by the malware authors. The infection and deployment chain is long, complicated and interdependent — should one step go wrong, the entire chain collapses — making it somewhat vulnerable, yet at the same time provides an extra level of security and stealth for the operation.
The report said it was “hard to estimate the exact number of companies affected by Operation CuckooBees” due to the “complexity, stealth, and sophistication of the attacks.”
“We’re talking about Blueprint diagrams of fighter jets, helicopters, and missiles,” Cybereason CEO Lior Div told CBS News on Wednesday. “We saw them stealing IP of drugs around diabetes, obesity, depression.”
Div said the value of the stolen data could be measured in “trillions, not billions” of dollars.
“The real impact is something we’re going to see in five years from now, ten years for now, when we think that we have the upper hand on pharmaceutical, energy, and defense technologies. And we’re going to look at China and say, how did they bridge the gap so quickly without the engineers and resources?” he warned.
According to Div, Operation CuckoBees remains ongoing.
Please let us know if you're having issues with commenting.