In late October and early November, 2017, CrowdStrike® Falcon Intelligence™ observed People’s Republic of China (PRC)-based actors conducting espionage-driven targeted attacks against at least four Western think tanks and an additional two non-governmental organizations (NGOs). This marks a significant increase in China-based activity from months prior, as the majority of observed activity in Q3 was predominantly focused on Southeast and East Asia. The previous “smash-and-grab” type of cyber operations, which typically characterized a majority of pre-2016 PRC espionage cases, appear to have ceased in favor of much more targeted intrusions focused on specific outcomes.
Previous operations targeting think tanks resembled the digital equivalents of so-called smash-and-grab robberies: the attackers indiscriminately exfiltrated data, vacuuming up whatever information was available. However, in these most recent incidents, threat actors specifically targeted the communications of foreign personnel involved in Chinese economic policy research and the Chinese economy, as well as users with noted expertise in defense, international finance, U.S.-Sino relations, cyber governance, and democratic elections.
The majority of these intrusions leveraged the China Chopper webshell and/or credential harvesting tools targeting the Microsoft Active Directory infrastructure such as Mimikatz to compromise credentials for lateral movement in victim networks. Typically, the adversary also retrieved second-stage tools from an external staging server. Actors often searched for very specific strings, such as “china”, “cyber”, “japan”, “korea”, “chinese” and “eager lion” — the latter is likely a reference to a multinational annual military exercise held in Jordan.
In at least two cases, adversaries were observed conducting email directory dumps for a full listing of departments within the victim organizations. Not only does this tactic help refine a list of targeted personnel within the organization, but access to a legitimate email server can provide a platform for conducting future spear-phishing operations. Nearly all the affected organizations likely maintain close ties to Western government officials. This makes them an attractive target for mounting further attacks against government-supporting sectors, since the intruders can masquerade as trusted sources when sending spear-phishing emails.