Chinese State-Sponsored Cyber Spies Roam Company’s Network for 4 Months!
Chinese state-backed cyber spies successfully infiltrated the network of a global engineering firm, gaining access to the company’s IBM AIX server’s admin portal using default passwords. The attackers remained within the network for a full four months. Investigations are ongoing to determine the extent of the damage and the identity of those responsible.
Chinese Spies Achieve the Impossible!
John Dwyer, Director of Security Research at Binary Defense, revealed in an exclusive interview with The Register that the attackers first breached one of the unmanaged AIX servers of the U.S.-based manufacturer in March. The spies lingered in the company’s IT infrastructure for four months, attempting to gain control over more systems.
This breach serves as a wake-up call for companies with outdated or neglected devices connected to their networks. These unmanaged devices, often referred to as “Shadow IT,” provide ideal entry points for attackers. Although the company’s name hasn’t been disclosed, it is known to manufacture components for critical industries, including public and private aviation organizations. The attack is believed to be the work of a spy team associated with the People’s Republic of China, with espionage and design theft as their goals.
Such attacks, occurring earlier in the supply chain, can lead to products being manipulated before they even reach production. This year, the U.S. government issued multiple security alerts regarding China’s cyber espionage units, including groups like APT40 and Volt Typhoon.
The company detected the breach in August and informed local and federal security agencies, taking steps to mitigate the impact. Binary Defense also became involved in the investigation. The company’s security tools were incompatible with the old systems, delaying the detection of the breach for months.
After gaining initial access, the attackers established persistent remote access across the entire network. Their goal is suspected to be intellectual property theft and disruption of the supply chain.
Dwyer stated that the attackers did not abandon their mission, with a fresh attack from the same group occurring the very next day. He noted that when attackers find their target valuable, they tend to return repeatedly, and these threats are becoming more sophisticated.
Binary Defense is expected to release a comprehensive report on this cyberattack soon. Feel free to share your thoughts on the matter in the comments.