Operation CuckooBees: Notorious Chinese hackers took trillions of dollars from about 30 companies

Researchers have revealed a sophisticated Winnti cyber attack that makes use of Windows systems in a "rarely observed" method.

According to Cybereason, the campaign is being carried out by the Chinese advanced persistent threat (APT) group Winnti, which has gone undiscovered for years.

APT 41, or "Winnti" – which also goes by the affiliate names BARIUM and Blackfly – is one of the most prolific and successful Chinese state-sponsored threat groups, with a history of launching CCP-backed espionage and financially motivated attacks on U.S. and other international targets, which are frequently aligned with China's Five-Year economic development plans.

Cyberattacks targeting video game makers, software vendors, and colleges in Hong Kong have all been linked to the group in the past. When the critical vulnerabilities in Microsoft Exchange Server ProxyLogon were first made public, Winnti, along with other APTs, made use of them.

Watch | Gravitas: How China breached thousands of organisations with one hacking operation

Cybereason said it briefed both the FBI and the US Department of Justice (DoJ) on the APT's campaign, which has been active since 2019 but was just recently identified, in two reports issued on Wednesday.

According to cybersecurity experts, clandestine operations have targeted the networks of technology and manufacturing organisations in Europe, Asia, and North America, with the goal of obtaining valuable private data.

Winnti's "multi-stage infection chain," dubbed "Operation CuckooBees," starts with exploiting weaknesses in enterprise resource planning (ERP) software and the deployment of the Spyder loader. Some of the exploited issues were known, but others were zero-day vulnerabilities, according to the researchers.