In a sophisticated cyber-espionage campaign dubbed ‘Operation Digital Eye,’ suspected Chinese state-backed hackers targeted major business-to-business IT service providers across Southern Europe between late June and mid-July 2024.
The attackers employed a clever technique, exploiting Visual Studio Code Tunnels and Azure infrastructure for command and control purposes.
Visual Studio Code (VS Code) Tunnels are a feature that allows you to securely connect to a remote machine or environment and interact with it directly from VS Code.
Researchers say this marks the first documented instance of a suspected Chinese APT (Advanced Persistent Threat) group utilizing this method.
The threat actors initially gained access through SQL injection attacks on internet-facing servers, deploying a custom PHP-based webshell nicknamed “PHPsert.”
They then moved laterally across compromised networks using Remote Desktop Protocol (RDP) connections and sophisticated password hash-stealing techniques.
The attackers’ abuse of Visual Studio Code’s Remote Tunnels feature was of particular concern. This feature allowed them to maintain persistent backdoor access to compromised systems while appearing as legitimate development activity.
The malicious traffic was routed through Microsoft Azure infrastructure in European locations, making detection more challenging.
“The targeted organizations provide solutions for managing data, infrastructure, and cybersecurity for clients across various industries, making them prime targets for cyberespionage actors,” noted researchers in their report. A successful breach could have given the attackers strategic footholds to compromise downstream clients.
Analysis of the attackers’ operational patterns revealed activity primarily during Chinese business hours (9 AM to 9 PM China Standard Time) on weekdays, suggesting state-sponsored involvement.
The malware used contained Chinese-language comments and shared characteristics with tools previously linked to Chinese APT operations.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The attackers employed a multi-phase strategy of the following:
- Initial Access: Using SQL injection attacks against web databases, they infiltrated systems and deployed a custom PHP-based webshell, named PHPsert, tailored to evade detection.
- Credential Theft: They targeted Windows systems with built-in utilities and tools like CreateDump to extract credentials, alongside custom-modified Mimikatz tools for pass-the-hash attacks.
- Lateral Movement: Once inside, attackers moved through internal networks using Remote Desktop Protocol (RDP) and Visual Studio Code-based tunnels.
- Custom Malware: The campaign utilized a unique version of Mimikatz, bK2o.exe, to perform advanced credential-stealing functions, all while obfuscating its activity to bypass static analysis.
The campaign’s reliance on advanced tooling and practical adaptations, such as disguising malicious files with local language terms, further highlights its operational sophistication.
Attribution and Links to Other Chinese Cyberespionage Campaigns
While the specific group behind the campaign remains unclear, researchers noted overlaps in the malware and techniques used in Operation Digital Eye with those seen in earlier Chinese APT campaigns, including Operation Soft Cell (2017–2018) and Operation Tainted Love (2023).
These campaigns targeted telecommunications and other industries, using similar tools in the mimCN collection—a suite of advanced tools believed to be maintained by a shared vendor or “digital quartermaster” within the Chinese cyber espionage ecosystem.
The I-Soon leak, a whistleblower report detailing China’s cyberespionage activities, supports the theory of centralized entities responsible for building and maintaining these tools for various groups.
The attackers carefully aligned their infrastructure with their European targets. By leveraging servers from M247 in Poland and Italy and Microsoft’s Azure services in Europe, they avoided raising suspicion among local organizations. Notably, activity timestamps reflected operations conducted during regular Chinese work hours, bolstering suspicions of state-sponsored involvement.
This campaign underscores the growing threat posed by Chinese cyberespionage groups to European entities. By blending legitimate technology abuse with advanced techniques, the attackers sought to bypass traditional defenses. The exploitation of trusted tools like Visual Studio Code, combined with the use of legitimate cloud infrastructure, makes such attacks particularly challenging to detect.
Operation Digital Eye highlights the need for organizations to adopt robust detection mechanisms, especially for abuse of widely trusted tools like Visual Studio Code. Cybersecurity teams must reevaluate traditional security models and scrutinize cloud activities and developer tools more closely.
As cyberespionage threats grow increasingly intricate, campaigns like these serve as a wake-up call for governments and private organizations to collaborate on strengthening defensive measures. The lessons from Operation Digital Eye emphasize the importance of vigilance, innovation, and global cooperation in countering the ever-evolving tactics of nation-state threat actors.
Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free