China publishes report on U.S. cyberattacks targeting a "tech enterprise"
China has published a report detailing U.S. cyberattacks aimed at a technology company. The document sheds light on the alleged intrusion and its implications.

CNCERT released a report detailing the attacks on Friday. Key highlights are as follows:
**I. Cyberattack Process**
1. **Exploitation of Vulnerabilities for Intrusion**
On August 19, 2024, attackers took advantage of a vulnerability in the enterprise's electronic document management system to gain unauthorized access. They managed to steal account and password information belonging to the system administrator. Subsequently, on August 21, 2024, the attackers used the compromised administrator credentials to access the backend of the system.
2. **Compromise of Software Upgrade Management Server**
At noon on August 21, 2024, the attackers deployed both a backdoor program and a customized Trojan on the electronic document management system, aimed at collecting stolen data. To avoid detection, these malicious programs operated solely in memory and were not stored on the hard drive. The Trojan facilitated the retrieval of sensitive files from compromised personal computers within the organization, while the backdoor was responsible for aggregating and transmitting the stolen files overseas.
3. **Spread of Trojan Infections to Personal Computers**
Between November 6 and November 16, 2024, the attackers exploited the software upgrade function of the electronic document server to implant specialized Trojan programs into 276 personal computers within the enterprise. These Trojans were designed to search for sensitive files, steal login credentials, and gather other personal information, self-deleting immediately after their tasks were completed.
**II. Massive Theft of Trade Secrets**
1. **Comprehensive Scanning of Host Machines**
The attackers repeatedly accessed the software upgrade management server using IP proxies based in China. This allowed them to infiltrate the enterprise's internal network, conducting comprehensive disk scans of the host machines to identify potential targets and gather information regarding the enterprise's operations.
2. **Targeted and Specific Theft**
Between November 6 and 16, 2024, the attackers used various proxy IP addresses to access the software upgrade management server and implant Trojans onto personal computers. These Trojans were programmed with specific keywords relevant to the enterprise's work. Upon locating files that matched the specified keywords, those files were stolen and transmitted abroad, showcasing the attackers' meticulous preparation and specificity, with a total of 4.98 GB of critical commercial information and intellectual property taken during these incidents.
**III. Characteristics of the Attacks**
1. **Timing of Attacks**
Analysis indicated that most attacks occurred from 10 p.m. to 8 a.m. Beijing Time (10 a.m. to 8 p.m. Eastern Standard Time). The majority of these actions took place from Monday to Friday, avoiding major U.S. holidays.
2. **Resources Utilized in the Attacks**
The five proxy IP addresses used were located in Germany, Romania, and other regions, demonstrating a sophisticated understanding of counter-forensics and access to extensive attack resources.
3. **Tools Employed in the Attacks**
The attackers effectively employed open-source or generic tools to mask their activities and evade detection. The backdoor identified on the compromised servers was a commonly used open-source tool, operating solely in memory to ensure the attack was difficult to detect during subsequent analysis.
4. **Techniques Used in the Attacks**
Following the compromise of the electronic document management system, the attackers modified the client distribution program within the system. By utilizing the software client upgrade feature, they delivered Trojan programs to multiple personal computers, enabling swift and targeted attacks on key users while facilitating extensive information collection and theft. These techniques highlight the advanced capabilities of the attacking organization.
**IV. Partial List of Proxy IPs**
The report includes a list of the proxy IPs identified, originating from locations such as the Netherlands, Romania, and Germany.
Lucas Dupont for TROIB News
Discover more Science and Technology news updates in TROIB Sci-Tech