An unspecified large U.S. organization with a significant presence in China was the victim of a four-month-long targeted intelligence-gathering attack that was likely carried out by a China-based threat actor.
Symantec researchers said in a Dec. 5 post that they believed the attacker was based in China because some of the tools used in the attack, such as DLL-sideloading, Impacket, and various living-off-the-land techniques, have been used in the past by Chinese threat actors.
According to the Symantec researchers, while it’s possible that the actual network intrusion took place much earlier, the first evidence of the threat actor’s activity dates from April of this year and continued until August 2024.
During the fourth-month period, the attackers moved laterally across the U.S. organization’s network, compromising multiple computers, said the researchers. Some of the computers attacked were Exchange Servers, suggesting that the attackers aimed to gather intelligence by harvesting emails. The attackers also used exfiltration tools, which pointed to the threat actors stealing sensitive data.
The extended duration of this attack highlights a concerning pattern in which threat actors methodically gather intelligence and establish persistent access, potentially creating opportunities for future targeted phishing-campaigns or sophisticated social-engineering attacks, said Stephen Kowski, Field CTO at SlashNext Email Security.
Kowski said the combination of DLL side-loading techniques with legitimate tools demonstrates how modern attackers blend sophisticated tradecraft with everyday business applications to avoid detection. The focus on Exchange servers and email harvesting suggested a strategic intelligence-gathering operation aimed at understanding business relationships, internal communications, and potential leverage points, said Kowski.
“Companies with international operations need robust email security that can detect and block sophisticated phishing attempts and continuous monitoring for unusual lateral movement patterns that could indicate compromised credentials or systems being used as staging grounds for future attacks,” added Kowski.
Callie Guenther, senior manager of cyber threat research at Critical Start, said the attack reflected common Chinese APT tactics, including DLL side-loading and living-off-the-land techniques like WMI and PowerShell, which allow for stealth and persistence.
Guenther, an SC Media columnist, said that targeting Exchange Servers indicated a focus on email harvesting, likely for espionage purposes, such as collecting intellectual property or strategic communications. Guenther added that other tools used such as FileZilla and Impacket show a mix of widely-available utilities and custom malware to complicate attribution.
“A four-month dwell time suggests either gaps in detection capabilities or deliberate attacker patience,” said Guenther. “The initial access vector remains unknown, but may involve spear-phishing, supply chain compromise, or exploitation of vulnerabilities.”
Evan Dornbush, a former NSA cybersecurity expert, said it will be interesting to see what action the victim company takes.
“Recall in 2010 after Operation Aurora was disclosed, Google scaled back its operations in China, added encryption and zero-trust mechanisms to its systems, and invested more heavily into its Threat Analysis Group (TAG), specifically to investigate state-sponsored activities,” said Dornbush.
