During an investigation, Cybereason discovered that the Winnti Group conducted Operation CuckooBees undetected since at least 2019, likely siphoning thousands of gigabytes of intellectual property and sensitive proprietary data from dozens of companies.

Winnti Group (APT 41) is a global cyber espionage campaign that targets manufacturers across North America, Europe and Asia in the Defense, Energy, Aerospace, Biotech and Pharma industries. The group has existed since at least 2010 and is believed to be operating on behalf of Chinese state interests and specializes in cyber espionage and intellectual property theft.

This is one of the largest IP theft campaigns coming from China.

“Operation Cuckoo Bees research is the culmination of a 12-month investigation that highlights the intricate and extensive efforts of the Chinese state-sponsored Winnti Group (APT 41) to abscond with proprietary information from dozens of global organizations. The most alarming revelation is that the companies weren’t aware they were breached, going some as far back as at least 2019, giving Winnti free unfiltered access to intellectual property, blueprints, sensitive diagrams and other proprietary data,” said Lior Div, Cybereason CEO and Co-founder.

Operation CuckooBees Key Findings include:

• Newly Discovered Malware and Multi-Stage Infection Chain: The research examines both known and previously undocumented Winnti malware, which included digitally signed, kernel-level rootkits and an elaborate multi-stage infection chain that enabled the operation to remain undetected since at least 2019.
• The Winnti Playbook: This research offers a unique glimpse into the Winnti intrusion playbook, detailing the most frequently used tactics and some lesser-known evasive techniques observed during the investigation.
• Discovery of New Malware in the Winnti Arsenal: The reports expose a previously undocumented malware strain called DEPLOYLOG used by the Winnti APT group and highlight new versions of known Winnti malware, including Spyder Loader, PRIVATELOG, and WINNKIT. 
• Rarely Seen Abuse of the Windows CLFS Feature: The attackers leveraged the Windows CLFS mechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade detection by traditional security products.
• Intricate and Interdependent Payload Delivery: The reports include an analysis of the complex infection chain that led to the deployment of the WINNKIT rootkit composed of multiple interdependent components. The attackers implemented a delicate “house of cards” approach, where each component depends on the others to execute properly, making it very difficult to analyze each component separately.

Intellectual property rights are essential to the global economy. Patents, copyrights, and trademarks are respected and enforced around the world because nations recognize that innovative concepts and the effort that goes into research and development and bringing them to market deserves to be rewarded.

When intellectual property is stolen, it undermines the economy and forces the originator to compete against their own innovation, Cybereason says. While it can be hard to determine the exact economic impact of intellectual property theft, the practice is exceptionally costly and may have repercussions for years to come. 

Cybereason published two reports, the first examining the tactics and techniques of the overall campaign and the second providing a detailed analysis of the malware and exploits used.