Cyberattacks by US Intelligence Agencies on Chinese Tech Firms Unveiled by CNCERT Reports

On Friday, the CNCERT released investigative reports detailing recent cyberattacks believed to be orchestrated by US intelligence agencies targeting significant Chinese technology firms. These investigations revealed that since August 2024, an advanced materials research institution in China had faced cyber intrusions that exploited a weakness in its electronic document security management system, allowing attackers to infiltrate and compromise its software upgrade management server.

Through this software upgrade mechanism, cyber attackers were able to deploy control trojans onto more than 270 host machines within the institution, which facilitated the theft of considerable trade secrets and intellectual property. The reports outlined a detailed timeline of activities beginning on August 19, 2024, when attackers took advantage of an injection vulnerability in the electronic document system to gain access and steal administrative account credentials.

By August 21, the attackers logged into the management functions of the compromised system with the stolen credentials, deploying a backdoor and a customized trojan that operated solely in memory to avoid detection. This trojan would receive sensitive files from compromised personal computers, while the backdoor aggregated and transmitted these files abroad. On subsequent dates, notably November 6 and 8, the attackers utilized the software upgrade feature to implant specialized trojans into numerous devices within the organization, specifically designed to scan for and steal sensitive information.

The attackers even disguised their activities using IP proxies located in China, allowing them to repeatedly infiltrate the internal networks of their target while carefully scanning for valuable data. The reports signify that on three notable occasions, different keyword-related trojans were introduced, indicating a methodical approach to the espionage operation that resulted in the theft of nearly 5GB of vital commercial information.

In addition to this case, a high-tech enterprise specializing in smart energy and digital information has been under similar cyber threats since May 2023. Attackers exploited vulnerabilities in Microsoft Exchange, taking control of the company's email server to implant backdoor programs that facilitated continuous data theft from email communications.

one allowed attackers to impersonate users, while the other enabled arbitrary code execution. By planting tools that only operated in memory, attackers could escape detection while stealing sensitive information and infiltrating other devices within the internal network using sophisticated methods like internal network scanning and encrypted tunnels. Ultimately, this led to unauthorized control over more than 30 devices, including email servers and code management systems, culminating in the theft of approximately 1.03GB of confidential data from the compromised firm's assets.