The Operation
A China-nexus cyber espionage group, suspected of orchestrating attacks on large business-to-business IT service providers in Southern Europe, has launched a campaign codenamed Operation Digital Eye.
These intrusions occurred from late June to mid-July 2024, as cybersecurity companies SentinelOne, SentinelLabs and Tinexta Cyber explained in a joint report shared with The Hacker News. The companies detected and neutralized the activities before the adversaries could progress to the data exfiltration phase.
“These intrusions allowed the adversaries to establish strategic footholds and compromise downstream entities,” said security researchers Aleksandar Milenkoski and Luigi Martire.
The researchers revealed that the threat actors abused Visual Studio Code and Microsoft Azure infrastructure for command-and-control (C2) purposes, using tactics that made their malicious activities appear legitimate and difficult to detect.
Although investigators have not identified the specific China-linked hacking group responsible for the attacks, they noted that widespread toolset and infrastructure sharing among East Asian threat actors complicates attribution.
How the Operation Works?
Microsoft Visual Studio Code Remote Tunnels play a central role in Operation Digital Eye, as the attackers weaponized this legitimate feature to enable remote access to endpoints. This tactic allowed them to execute arbitrary commands and manipulate files.
By relying on public cloud infrastructure, government-backed hackers ensure their activities blend seamlessly with typical network traffic. Additionally, they exploit legitimate executables that application controls and firewall rules typically do not block.
The attack chains observed by the companies involve SQL injection as the initial access vector, which breaches internet-facing applications and database servers. To achieve this, the attackers used SQLmap, a legitimate penetration testing tool that automates the detection and exploitation of SQL injection flaws.
Once inside, the attackers deployed PHPsert, a PHP-based web shell, to maintain a foothold and establish persistent remote access. They then carried out reconnaissance, harvested credentials, and moved laterally across systems using Remote Desktop Protocol (RDP) and pass-the-hash techniques.
For pass-the-hash attacks, the researchers confirmed that the adversaries employed a custom-modified version of Mimikatz. This tool enables them to execute processes within a user’s security context by leveraging a compromised NTLM password hash, effectively bypassing the need for the user’s actual password.
Substantial overlaps in source code strongly indicate that the bespoke tool originates from the same source as those used in suspected Chinese cyber espionage activities, including Operation Soft Cell and Operation Tainted Love.
Mimikatz
Researchers Collectively refer to these custom Mimikatz Modifications as mimCN, noting shared code-signing certificates and unique features like custom error messages and Obfuscation techniques.
“The long-term evolution and versioning of mimCN samples, combined with features such as instructions intended for a separate team of operators, point to the involvement of a shared vendor or digital quartermaster actively Maintaining and Provisioning these tools,” the researchers stated.
They added that this role within the Chinese APT ecosystem, further Corroborated by the I-Soon leak, likely serves as a critical component in Supporting China-nexus Cyber Espionage operations.
Notably, the Attackers relied on SSH and Visual Studio Code Remote Tunnels for remote command execution. They Authenticated and Connected to the Tunnels using GitHub accounts, Enabling access to Compromised Endpoints via the browser-based version of Visual Studio Code (“vscode[.]dev”).
However, it remains unclear whether the threat actors used freshly Self-Registered or already Compromised GitHub accounts for Authentication.
Beyond mimCN, additional evidence points to Chinese involvement. This includes the presence of Simplified Chinese comments in PHPsert, the use of infrastructure from Romanian hosting provider M247, and the Deployment of Visual Studio Code as a Backdoor—a tactic previously linked to the Mustang Panda actor.
The investigation also revealed that the operators were most active in the targeted organizations’ networks during standard working hours in China, primarily between 9 a.m. and 9 p.m. CST.
“The campaign highlights the strategic nature of this threat,” the researchers explained. “By targeting organizations that provide data, infrastructure, and Cybersecurity solutions to other industries, the Attackers gain a Foothold in the digital supply chain, Extending their reach to Downstream entities.”
Moreover, the abuse of Visual Studio Code Remote Tunnels in this campaign Exemplifies how Chinese APT groups adopt practical, Solution-driven tactics to avoid Detection. By Leveraging a trusted development tool and infrastructure, the threat actors Disguised their Malicious activities as legitimate operations.
Source: TheHackerNews
