Old IT infrastructure housed Chinese spies for months inside US engineering firm
Chinese state-sponsored hackers spent months plundering a global U.S. engineering firm, attempting to steal classified information, blueprints, login credentials and other sensitive data.
An exclusive report from The registerdiscussed the news with John Dwyer, Director of Security Research at Binary Defense, a detection and response firm that was brought in to investigate after the attack was discovered.
The targeted company was not named, but it was described as producing “components for public and private aerospace organizations and other critical industries, including oil and gas.” The hacking collective was also not specifically identified, though researchers said they believed it was Chinese and state-sponsored.
Unmanaged IT
The group gained access to the company’s infrastructure via three unattended AIX servers. These IBM-made servers were running Advanced Interactive eXecutive, a UNIX-based operating system, and apparently still had default credentials. This allowed threat actors to brute force their way in, after which they established persistence and lurked for months. Researchers believe the initial breach occurred in March of this year.
The group’s goal was to gather information that could later likely be used in supply chain attacks. Since the organization makes equipment for critical industries, the risk of critical hardware being destroyed was real.
The victim company had set up endpoint detection and response (EDR) systems. However, these AIX servers were so old that they were not compatible with the EDR and were therefore not monitored. The register described them as “long or nearly forgotten machines,” shadow IT deployments that are often not managed at all.
However, when the scammers attempted to dump the memory of the LSASS process on a Windows server (a “common way to collect credentials,” the publication said), they were discovered and blocked.
Via The register