Chinese spies spent months inside aerospace engineering firm's network via legacy IT
Getting sloppy, Xi
Exclusive Chinese state-sponsored spies have been spotted inside a global engineering firm's network, having gained initial entry using an admin portal's default credentials on an IBM AIX server.
In an exclusive interview with The Register, Binary Defense's Director of Security Research John Dwyer said the cyber snoops first compromised one of the victim's three unmanaged AIX servers in March, and remained inside the US-headquartered manufacturer's IT environment for four months while poking around for more boxes to commandeer.
It's a tale that should be a warning to those with long- or almost-forgotten machines connected to their networks; those with shadow IT deployments; and those with unmanaged equipment. While the rest of your environment is protected by whatever threat detection you have in place, these legacy services are perfect starting points for miscreants.
And that's not to say AIX is retired or abandoned technology; it is advanced in its design and it still gets updates and support from Big Blue. By legacy we mean it is a child of the 1980s, is used in specialized roles where it can't be easily replaced, and lives on in a world now dominated by Linux and Windows.
This particular company, which Dwyer declined to name, makes components for public and private aerospace organizations and other critical sectors, including oil and gas. The intrusion has been attributed to an unnamed People's Republic of China team, whose motivation appears to be espionage and blueprint theft.
Attempts to meddle with products are happening earlier and earlier in the supply-chain pipeline...
It's worth noting the Feds have issued multiple security alerts this year about Beijing's spy crews including APT40 and Volt Typhoon, which has been accused of burrowing into American networks in preparation for destructive cyberattacks.
After discovering China's agents within its network in August, the manufacturer alerted local and federal law enforcement agencies and worked with government cybersecurity officials on attribution and mitigation, we're told. Binary Defense was also called in to investigate.
The US government's Cybersecurity and Infrastructure Security Agency declined to comment, and the FBI did not immediately respond to The Register's inquiries.
Before being caught and subsequently booted off the network, the Chinese intruders uploaded a web shell and established persistent access, thus giving them full, remote access to the IT network — putting the spies in a prime position for potential intellectual property theft and supply-chain manipulation.
If a compromised component makes it out of the supply chain and into machinery in production, whoever is using that equipment or vehicle will end up feeling the brunt when that component fails, goes rogue, or goes awry.
"The scary side of it is: With our supply chain, we have an assumed risk chain, where whoever is consuming the final product – whether it is the government, the US Department of the Defense, school systems – assumes all of the risks of all the interconnected pieces of the supply chain," Dwyer told The Register.
Plus, he added, adversarial nations are well aware of this, "and the attacks continually seem to be shifting left." That is to say, attempts to meddle with products are happening earlier and earlier in the supply-chain pipeline, thus affecting more and more victims and being more deep-rooted in systems.
- Chinese national accused by Feds of spear-phishing for NASA, military source code
- Volt Typhoon suspected of exploiting Versa SD-WAN bug since June
- Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon
- US says China's Volt Typhoon is readying destructive cyberattacks
Breaking into a classified network to steal designs or cause trouble is not super easy. "But can I get into a piece of the supply chain at a manufacturing center that isn't beholden to the same standards and accomplish my goals and objectives?" Dwyer asked.
The answer, of course, is yes.
Three of the victim's AIX development environment servers were exposed unprotected to the open internet, according to Binary Defense. One of them at least was running an Apache Axis admin portal with default administrator credentials, which gave the intruders full access to the IBM system. The server wasn't compatible with the organization's security monitoring tools, which is part of the reason why it took network defenders months to spot malicious activity on company computers, we're told.
All of this, according to Dwyer, amounts to "an honest mistake," but one that also illustrates the problem with newer security tools not being backward-compatible with machines of the AIX ilk that power a lot of critical systems.
We're told that once the server had been compromised, the intruders installed an AxisInvoker web shell, allowing them to remotely control the box, harvest Kerberos data on it, and add SSH keys so they could securely log in from the outside. The snoops then gathered up as much intelligence as they could on the network's configuration as well as whatever data they could get via LDAP and SMB shares.
Unraveled
More post-exploitation code was deployed, including Cobalt Strike and web shells, plus a fast-reverse proxy (FRP) to tunnel back to their own infrastructure. Amusingly, they seemed unfamiliar with AIX as they tried running programs standard on Linux but not native to IBM's Unix-flavored OS. They then turned to the Microsoft Windows environment of the engineering firm's network, and conducted NTLM relay attacks to enumerate available Windows users and impersonate a valid administrator-level Windows account.
Soon after that, the intruders were discovered by threat detection tools deployed by the firm. The snoops tried to dump the memory of the LSASS process on a Windows server, a common way to gather credentials from a system. That was observed and blocked, and the spies were thrown out, seemingly before anything further was accessed.
"And immediately after we had removed them from the environment, another attack set off, which we attributed to the same group trying to get back in through other means," he added.
This happened within 24 hours, with a credential-stuffing attack. "There was no opsec, no slow-and-low," Dwyer said. "They put the persistent in APT. Once they identify a target as valuable to them and their goals and objectives, they will continue to try to get back in."
Binary Defense is due to publish a report on Thursday about the cyber-break-in and lessons learned. ®