SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Endpoint Protection
#
SMB
#
Cyber espionage

Chinese APT group linked to cyber attack on US defence firm

Today
Author image
By Shannon Williams, Journalist

ReliaQuest has released a detailed account of a cyber intrusion targeting a US-based defence technology company, with evidence pointing to the involvement of a Chinese advanced persistent threat (APT) group.

The incident, which occurred in February 2025, involved advanced methods to gain and maintain access to the targeted network, employing techniques designed to avoid detection and achieve the theft of sensitive intellectual property related to defence technologies.

ReliaQuest states that the attack "showcased advanced techniques and technical expertise, including re-compromising the network after being removed. The attackers exploited multiple vulnerabilities, leveraged stealthy evasion techniques, and maintained persistence through custom tools and web shells."

Analysis of the attack suggested it was espionage-motivated, with operational, linguistic, and technical clues consistent with tactics associated with China-backed actors. According to ReliaQuest's report, "the adversary's stealth, strategic targets, operational timing, and technical sophistication all point to a nation-state actor. The attack's likely focus on stealing defense and engineering intellectual property (IP) aligns with China's well-documented goals of bolstering military strength and technological dominance through espionage."

One of the key technical indicators cited was the breakout time—the period between the initial breach and lateral movement. "In our Annual Threat Report, we recorded an average breakout time—the time it takes attackers to move from initial access to lateral movement—of 48 minutes. In this attack, with a breakout time of 21 hours, the APT group's slower, methodical pace likely indicates a focus on evading detection over speed, a common calling card of nation-state-associated threat actors," the report explained.

The timing of attack activities—between 7:00 and 18:00 UTC—was in line with working hours typical in China, according to ReliaQuest. Further, the attackers sought "comprehensive backup files from Secure File Transfer Protocol (SFTP) servers that would yield access to defence technology blueprints and electrical design frameworks, aligning seamlessly with China's 14th Five-Year Plan to achieve technological self-sufficiency and advance military modernization."

ReliaQuest noted that "language markers in malicious scripts can be used to mislead investigators, [but] their presence in this attack is a relevant but inconclusive indicator on its own of Chinese actor involvement."

The attackers used multiple vulnerabilities to gain an initial foothold, first targeting SharePoint servers and then exploiting unpatched Ivanti Pulse Secure appliances. Attackers made use of residential proxies to mask the origin of their traffic and employed both custom-built and legitimate binaries for persistence and stealth.

The report detailed, "the attackers exploited multiple vulnerabilities for initial access and used advanced evasion tactics like disabling monitoring systems, wiping logs, and using custom tools and legitimate binaries (LOLbins) to stay under the radar. They maintained persistence with custom Dynamic Link Library (DLL) files designed to bypass conventional defenses and remain undetected."

Attackers accessed the network via an exploited SharePoint vulnerability, brute-forced service accounts, and, after briefly losing access, compromised Ivanti devices with public-facing vulnerabilities. "End-of-life, unpatched Ivanti devices left the environment unprotected against new vulnerabilities. Abusing these weaknesses and compromising service accounts yielded extensive access, with the repeated intrusions highlighting the adversary's laser focus," ReliaQuest stated.

Once inside, tools such as Server Message Block (SMB) shares and Remote Desktop Protocol (RDP) were used for lateral movement. Attackers created named pipes, attempted numerous RDP connections, and manipulated processes over HTTPS to deploy web shells. The SFTP server storing sensitive data was the main target, and attackers sought to maintain persistent access through a variety of means, including tampering with Globalscape SFTP software binaries to establish covert backdoors.

"On the SFTP server, the attacker identified the use of Globalscape, SFTP software that provides secure and automated data transfer capabilities, and impersonated legitimate Globalscape files to establish a backdoor. They utilized the program's files and paths to blend their actions in with standard Globalscape operating functions," ReliaQuest reported. They refined their persistence mechanisms with crafted POST requests to seemingly benign files, allowing remote access without authentication.

The report found heavy use of defence evasion tactics, such as disabling security logs on compromised appliances, erasing Active Directory logs, process injection, and use of in-memory scripting with obfuscated code, some of it containing Chinese characters. "Abuse of legitimate processes, in-memory execution, high obfuscation, custom tooling, and old certificates hinder response efforts, as security tools struggle to classify the threat actor's activity as malicious."

ReliaQuest outlined recommended defence responses, including network segmentation, enforcing multifactor authentication, rapid log forwarding, and using advanced endpoint detection with behavioural analytics.

Comparing this intrusion to previous campaigns, ReliaQuest identified "key tactics from this attack mirrored in other incidents: Residential proxies used to hide traffic and maintain stealth for command-and-control (C2) infrastructure; web shell techniques, enabling in-memory execution and persistence via DLLs; Server Message Block (SMB) shares used for lateral movement across network segments; high-privileged accounts with possible unchanged passwords exploited; [and] web shell tunneling, linking servers across network segments."

The report concluded, "this attack exemplifies the hallmarks of a highly capable and well-resourced adversary, likely tied to a Chinese nation-state actor. The comparatively long breakout time of 21 hours indicates a deliberate and patient approach, emphasizing stealth over speed—a calculated strategy designed to evade detection and ensure operational success."

"Given the escalating political tensions between China and the US, it is highly likely that other organizations will face similar threats from China-affiliated threat actors in the near future (within three months). These cyber threats are unfolding against the backdrop of a rapidly intensifying trade war. This economic friction not only fuels competition over trade but also heightens China's motivation to engage in cyber espionage to offset the economic impact of recent tariffs and maintain its trajectory toward technological dominance."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Kaspersky named leader in 2025 SPARK Matrix for cyber threat intelligence
System intrusions cause 80% of Asia-Pacific data breaches
CrowdStrike launches Falcon Privileged Access to block threats
SureStack unveils AI platform for real-time cyber defence
Logicalis launches Cisco XDR managed service in Asia Pacific
Top stories
AI bots drive 57% of holiday shopping traffic, study finds
Zenity secures ChatGPT Enterprise use with expanded AI oversight
Cybercrime losses soar to USD $16.6 billion in 2024, outpacing US box office
Phishing attacks thrive on human behaviour, not lack of skill
AI use in enterprises soars but brings surge in cyber risks