A yearslong malicious cyber operation spearheaded by the notorious Chinese state actor, APT 41, has siphoned off an estimated trillions in intellectual property theft from approximately 30 multinational companies within the manufacturing, energy and pharmaceutical sectors.
A new report by Boston-based cybersecurity firm, Cybereason, has unearthed a malicious campaign — dubbed Operation CuckooBees — exfiltrating hundreds of gigabytes of intellectual property and sensitive data, including blueprints, diagrams, formulas, and manufacturing-related proprietary data from multiple intrusions, spanning technology and manufacturing companies in North America, Europe, and Asia.
“We’re talking about Blueprint diagrams of fighter jets, helicopters, and missiles,” Cybereason CEO Lior Div told CBS News. In pharmaceuticals, “we saw them stealing IP of drugs around diabetes, obesity, depression.” The campaign has not yet been stopped.
Cybercriminals were focused on obtaining blueprints for cutting-edge technologies, the majority of which were not yet patented, Div said.
The intrusion also exfiltrated data from the energy industry – including designs of solar panel and edge vacuum system technology. “This is not [technology] that you have at home,” Div noted. “It’s what you need for large-scale manufacturing plants.”
The report doesn’t disclose a list of affected companies, but researchers found the cyber espionage campaign — which had been operating undetected since at least early 2019 — collected information that could be used for future cyberattacks or for potential extortion campaigns — details about companies’ business units, network architecture, user accounts and credentials, employee emails and customer data.
Cybereason first caught wind of the operation in April of 2021, after a company flagged a potential intrusion during a business pitch meeting with the cybersecurity firm. Analysts reverse engineered the attack to uncover every step malicious actors took inside the environment, discovering APT 41 “maintained full access to everything in the network in order for them to pick and choose the right information that they needed to collect.”
That full access enabled cybercriminals to exfiltrate tedious amounts of information required to duplicate complicated engineering, including rocket propelled weapons. “For example, to rebuild a missile there are hundreds of pieces of information that you need to steal in a specific way in order to be able to recreate and rebuild that technology,” Div said.
APT 41 or “Winnti” – which also goes by affiliate names BARIUM and Blackfly – remains one of the most prolific and successful a Chinese state-sponsored threat groups, with a history of launching CCP backed espionage activity and financially motivated attacks on U.S. and other international targets, routinely aligned with China’s Five-Year economic development plans.
In May 2021, the Justice Department charged four Chinese nationals connected to APT 41 for their participation in a global computer intrusion campaign targeting intellectual property and sensitive business information.
The FBI estimated in its report that the annual cost to the U.S. economy of counterfeit goods, pirated software, and theft of trade secrets is between $225 billion and $600 billion.
But researchers from Cybereason say it is hard to estimate the exact economic impact of Operation CuckooBees due to the complexity, stealth and sophistication of the attacks, as well as the long-term impact of robbing multi-national companies of research and development building blocks.
“It’s important to account for the full supply chain – basically selling a developed product in the future, and all the derivatives that you’re gonna get out of it,” Div said.
“In our assessment, we believe that we’re talking about trillions, not billions,” Div added. “The real impact is something we’re going to see in five years from now, ten years for now, when we think that we have the upper hand on pharmaceutical, energy, and defense technologies. And we’re going to look at China and say, how did they bridge the gap so quickly without the engineers and resources?”
Cybersecurity firms including Eset Research have previously detailed supply chain attacks carried out by APT 41. In August 2019, Mandiant released a report detailing the evolution of the group’s tactics, and techniques, as well as descriptions of individual criminal actors.
According to Cybereason’s report, the APT group leveraged both known and previously undocumented malware exploits, using “digitally signed kernel-level rootkits as well as an elaborate multi-stage infection chain,” comprising six parts. That clandestine playbook helped criminals gain unauthorized control of computer systems while remaining undetected for years.
The FBI has consistently warned that China poses the largest counterintelligence threat to the U.S.
“[China has] a bigger hacking program than that of every other major nation combined. And their biggest target is, of course, the United States,” FBI Director Christopher Wray said Friday, during a public forum at the McCain Institute.
The CCP continues to increase its theft of U.S. technology and intellectual property by conducting illicit economic activities, according to the latest annual survey by the Office of the U.S. Trade Representative.
Wray says the FBI opens a new China counterintelligence investigation every12 hours. Last year, the U.S. government attributed a massive attack targeting Microsoft Exchange servers to the Chinese state actors.
“Across the Chinese state, in pretty much every major city, they have thousands of either Chinese government or Chinese government-contracted hackers who spend all day – with a lot of funding and very sophisticated tools – trying to figure out how to hack into companies networks… to try to steal their trade secrets,” Wray noted.