Full Report
A suspected China-nexus cyber espionage group has been attributed to an attacks targeting large business-to-business IT service providers in Southern Europe as part of a campaign codenamed Operation Digital Eye. The intrusions took place from late June to mid-July 2024, cybersecurity companies SentinelOne SentinelLabs and Tinexta Cyber said in a joint report shared with The Hacker News, adding
Analysis Summary
# Incident Report: Operation Digital Eye - Supply Chain Intrusion via VS Code Tunnels
## Executive Summary
A suspected China-nexus cyber espionage group conducted "Operation Digital Eye," targeting large B2B IT service providers in Southern Europe between late June and mid-July 2024. The attack utilized SQL Injection and customized tooling (mimCN) to gain initial access, establishing C2 via legitimate Visual Studio Code Remote Tunnels to evade detection. The campaign was successfully neutralized by defenders before any data exfiltration could occur, limiting the potential impact on downstream entities.
## Incident Details
- **Discovery Date:** Mid-July 2024 (Implied, as activities were neutralized during this period)
- **Incident Date:** Late June to Mid-July 2024
- **Affected Organization:** Large business-to-business IT service providers
- **Sector:** Information Technology Services
- **Geography:** Southern Europe
## Timeline of Events
### Initial Access
- **Date/Time:** Late June 2024
- **Vector:** SQL Injection (SQLi)
- **Details:** Attackers used the legitimate penetration testing tool **SQLmap** to automate the detection and exploitation of SQL injection flaws on internet-facing applications and database servers.
### Lateral Movement
- **Date/Time:** Following persistence establishment
- **Vector:** Remote Desktop Protocol (RDP) and Pass-the-Hash techniques.
- **Details:** Attackers used a custom version of Mimikatz, dubbed **mimCN**, to execute processes leveraging compromised NTLM password hashes, bypassing the need for actual passwords.
### Data Exfiltration/Impact
- **Data Exfiltration:** Attempted, but **unsuccessful**. The activities were detected and neutralized before data could be stolen.
- **Impact:** Potential establishment of strategic footholds in critical digital infrastructure providers, posing a significant **supply chain risk** to downstream clients.
### Detection & Response
- **Detection:** By SentinelOne SentinelLabs and Tinexta Cyber researchers/security teams at the targeted organizations.
- **Response Actions:** Intrusions were "detected and neutralized before they could progress to the data exfiltration phase."
## Attack Methodology (Mapping to MITRE ATT&CK Principles)
- **Initial Access:** SQL Injection, automated via **SQLmap**.
- **Persistence:** Deployment of a **PHP-based web shell (PHPsert)** for persistent remote access.
- **Privilege Escalation:** Custom modifications to Mimikatz (**mimCN**) used for NTLM hash manipulation.
- **Defense Evasion:** Abusing legitimate infrastructure like **Visual Studio Code Remote Tunnels** and Microsoft Azure C2, using legitimate executables.
- **Credential Access:** **Custom modified Mimikatz (mimCN)** to harvest credentials via password hashes.
- **Discovery:** Standard reconnaissance activities post-breach.
- **Lateral Movement:** **RDP** and **Pass-the-Hash** techniques.
- **Collection:** Credential harvesting and general reconnaissance.
- **Exfiltration:** Not achieved; intended pathways included the established C2 tunnels.
- **Impact:** Establishing deep footholds within the IT supply chain.
## Impact Assessment
- **Financial:** Not disclosed, but potential costs associated with remediation and supply chain risk mitigation.
- **Data Breach:** **No confirmed data breach** occurred as the activities were stopped prior to exfiltration.
- **Operational:** Potential for significant disruption to IT service providers and subsequent downstream clients if the C2 infrastructure had remained active.
- **Reputational:** Minimal public impact disclosed, as the intrusion was contained internally/by partners before major disclosure.
## Indicators of Compromise
*(Note: Specific hashes or IPs are omitted/defanged as instructed, focusing on tool/behavioral indicators)*
- **Network indicators:** C2 communication leveraging **Visual Studio Code Remote Tunnels** (connecting via `vscode[.dev]` using GitHub authentication). Use of infrastructure provided by M247 (hosting provider).
- **File indicators:** **PHPsert** (PHP web shell).
- **Behavioral indicators:** Use of custom tools sharing code overlaps with known Chinese espionage activity (Operation Soft Cell, Operation Tainted Love); presence of simplified **Chinese comments in PHPsert**; activity profiling aligning with China Standard Time (CST) working hours (9 a.m. to 9 p.m. CST).
## Response Actions
- **Containment:** Intrusions were successfully "neutralized," implying immediate termination of unauthorized sessions and removal of web shells/backdoors.
- **Eradication:** Implied removal of SQLmap artifacts, PHPsert, and custom Mimikatz variants.
- **Recovery:** Not explicitly detailed, but would involve patching SQLi vulnerabilities and reviewing/resetting credentials harvested by mimCN.
## Lessons Learned
- The group effectively used legitimate, trusted development tools (**Visual Studio Code Remote Tunnels**) and cloud infrastructure (Azure) to disguise malicious C2 traffic, highlighting a sophisticated evasion technique.
- The supply chain targeting is a major strategic concern; compromising IT service providers allows attackers to pivot to many other industries.
- The consistent use and evolution of custom tooling (**mimCN**) point toward a well-resourced, professionalized threat actor ecosystem likely supported by a shared vendor or "digital quartermaster."
## Recommendations
- Implement stricter application security scanning and WAF rules to prevent SQL Injection, particularly on internet-facing resources.
- Review and restrict the use of legitimate protocols, like RDP, for critical internal movement, potentially implementing tiered network segmentation.
- Enhance network monitoring to detect unusual command execution patterns associated with legitimate developer tools (e.g., tunneling activity masking as standard VS Code operations).
- Increase scrutiny on authentication methods used for remote access services, ensuring Multi-Factor Authentication (MFA) is enforced, particularly for GitHub/Azure-based authentications used for tunnels.