Security Software company McAfee announced on 14 September findings that a “long-term” malware operation was likely out to steal Intellectual Property, military intelligence and more.
In a deep dive analysis, the website posted its findings about Operation “Harvest.” Among the disturbing conclusions:
“From what we observed, the adversary had a long-term intention to stay present in the victim’s network. With high confidence, we believe that the adversary was interested in stealing proprietary intelligence that could be used for military or intellectual property/manufacturing purposes.
“The adversary used several techniques to exfiltrate the data. In some cases, batch (.bat) scripts were created to gather information from certain network shares/folders and use the ‘rar’ tool to compress them to a certain size…”
According to McAfee, the sophisticated exploit was carried out by first establishing a malicious web server presence, to gather info and gain elevated privileges into targeted networks.
A combination of tools and malware, some of it open source, with names like “Bad Potato.” Another piece of malware, “PlugX,” was identified as part of an attack establishing a backdoor into systems on Windows operating system machines. The Winnti malware family was also involved.
Who Did it?
The McAfee analysis included posing the question of who did it, calling it the million dollar question. But perhaps it would be more like a trillion dollar question, considering the value of the IP and military secrets involved.
After acknowledging attribution is not the main focus of the security company, the company explained:
“What we do care about is that if we learn about these techniques during an investigation, can we map them out and support our IR team on the ground, or a customer’s IR team, with the knowledge that can help determine which phase of the attack the evidence is pointing to and based on historical data and intelligence, assist in blocking the next phase and discover more evidence?”
McAfee’s deep dive analysis then explained the facets of its search for the remote actors executing Operation Harvest. The company concluded the source was Beijing, China:
“The identified C2 server was 184.108.40.206 TCP/80.
“Timeline of Events
“When analyzing the timestamps from this investigation, like we did for operation Harvest, we came to the below overview:
“Figure 14 Beijing working hours case 2019/2020
“Again, we observed that the adversary was operating Monday to Friday during office hours in the Beijing time-zone.”
The Trends Journal has previously reported on the staggering scale of China’s theft of American intellectual property, as well as various forms of infiltration into every aspect of American society.
Some touchstone articles include “AMERICA DRIFTS TOWARD CHINA’S ‘TECHNO-AUTOCRACY’” (9 Feb 2021), and “CHINA BUSINESS ESPIONAGE NETS $500 BILLION A YEAR” (29 Jun 2021).