McAfee discovers Chinese APT campaign 'Operation Harvest'

McAfee Enterprise found the threat actors had not only breached a company's network, but had spent 'multiple years' siphoning data from the victim before getting caught.

McAfee Enterprise found an advanced group of threat actors who have been able to sit on their victims' network for years without getting spotted.

The security vendor dubbed the newly-discovered advanced persistent threat (APT) campaign  "Operation Harvest." The threat actors are using a mixture of known and new malware packages for their attacks, and McAfee Enterprise said the group is highly experienced and advanced.

Christiaan Beek, lead scientist and senior principal engineer with McAfee Enterprise's office of the CTO, said in a report that his company's incident response team uncovered the campaign during what appeared to be a malware infection on a customer network -- but what turned out to be a long-term intrusion by a suspected Chinese nation-state group.

McAfee found the threat actors were able to gain their initial access to the victim by exploiting a vulnerability in a web access server. With that foothold, the APT campaign then used further privilege escalation exploits to steal credentials and move on to other systems.

"Over the last year we have seen attackers increasingly use initial access vectors beyond spear-phishing, such as compromising remote access systems or supply chains," McAfee researchers noted in a separate blog post. "The exploiting of public-facing vulnerabilities for Initial Access is a technique associated with Operation Harvest and other APT groups to gain entry."

While some of the tools used in the attack were off-the-shelf hacking and system management tools, others, such as the backdoors used to give the attackers persistent access, appear to have been custom-made by or for members of the group.

As the APT campaign's name would suggest, Operation Harvest was only interested in siphoning off data from the victim. The attackers were able to keep quiet and hide their presence for years as they quietly collected valuable data from the network.

We strongly believe that we are dealing with a Chinese actor whose long-term objectives are persistence in their victims' networks and the acquisition of the intelligence needed to make political/strategic or manufacturing decisions.
Christiaan BreekResearcher, McAfee Enterprise

"The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions," Beek explained.

"The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families. Combining all forensic artifacts and cross-correlation with historical and geopolitical data, we have high confidence that this operation was executed by an experienced APT actor."

Long-term attacks and covert theft of IP and government information are two traits that have long been associated with Chinese state-sponsored attacks. Indeed, Beek believes that the group behind this attack had connections to Beijing.

"Whether we put name 'X' or 'Y' on the adversary," Beek wrote, "we strongly believe that we are dealing with a Chinese actor whose long-term objectives are persistence in their victims' networks and the acquisition of the intelligence needed to make political/strategic or manufacturing decisions."    

Dig Deeper on Threats and vulnerabilities