Sprawling 'Operation Digital Eye' Attack Targets European IT Orgs

Chinese hackers almost breached critical European supply chain companies by disguising their malicious activities behind native Microsoft technologies.

It happened during a three-week period, from late June to July, according to researchers from SentinelLabs. A threat actor tied to China's diverse and thriving cyberattack scene targeted large business-to-business (B2B) IT service providers throughout southern Europe, such as cybersecurity vendors and data and infrastructure solutions providers, with the presumed goal of downstream supply chain espionage.

To penetrate these IT vendors — and, presumably, the many clients across the continent to which they enjoy privileged access — the attackers masked their malicious activity behind everyday business tools like Visual Studio Code and Microsoft Azure. And to confuse attribution, they used the same tactics, techniques, procedures (TTPs), and tooling observed across a number of other known Chinese threat actors.

Malware via Microsoft

Infections in the campaign, which researchers dubbed "Operation Digital Eye," began with SQL injections against vulnerable, Internet-facing Web and database servers. Then the attackers dropped PHP Web shells, using filenames specially tailored to the target's environment in order to avoid raising any suspicion. Reconnaissance, lateral movement, and credentials theft followed.

Related:Consumer Sector Becomes Top Ransomware Target

The highlight of the attacks, though, came innocuously packaged as "code.exe." Digitally signed by Microsoft and run as a service using the Windows Service Wrapper, the attackers brought to each of their victims their own portable copy of the Visual Studio Code (VS Code). VS Code is a free, open source editor developed by Microsoft, by far the most popular integrated development environment (IDE) among both new and seasoned developers.

Read the Full Story on Dark Reading