A suspected China-linked cyber espionage group has been identified in a series of sophisticated attacks targeting major IT service providers in Southern Europe. Known as “Operation Digital Eye,” the campaign unfolded between late June and mid-July 2024. Cybersecurity firms SentinelOne and Tinexta Cyber revealed that these intrusions were detected and neutralized before any data could be stolen, preventing potentially severe consequences.
The attackers exploited legitimate tools, such as Visual Studio Code and Microsoft Azure infrastructure, for command-and-control operations. By abusing these platforms, they concealed their malicious activities within normal network traffic, making detection by security systems more difficult. This strategy enabled them to establish footholds in targeted networks, posing a broader threat to interconnected downstream entities.
Initial access was achieved through SQL injection vulnerabilities in publicly exposed applications and database servers. The attackers used SQLmap, a legitimate penetration testing tool, to automate the process of identifying and exploiting these flaws. After gaining access, they deployed a PHP-based web shell, PHPsert, which allowed them to maintain persistence and execute further malicious activities like reconnaissance, credential theft, and lateral movement within networks.
One of their key tools was a custom-modified version of Mimikatz, known as “mimCN,” used to execute pass-the-hash attacks. This tool’s unique modifications, including shared code-signing certificates and obfuscation techniques, link it to other Chinese espionage campaigns. Indicators such as Chinese-language comments in malicious scripts and activities aligned with Chinese working hours further support the attribution.
The attackers also abused Visual Studio Code Remote Tunnels to execute commands on compromised systems. Using GitHub accounts, they authenticated and connected to these tunnels, leveraging trusted infrastructure to disguise their activities. This approach highlights the group’s pragmatic use of legitimate development tools to evade detection, showcasing a sophisticated blend of technical expertise and operational stealth.