The China-backed Winnti Group (APT 41, Wicked Panda or Barium) has been siphoning troves of intellectual property and other data from dozens of manufacturers in North America, Europe and Asia across multiple critical industries over the past three years, according to a year-long investigation by Cybereason, a provider of extended detection and response services.
During its examination, Cybereason discovered that Winnti conducted Operation CuckooBees undetected since at least 2019. The most “alarming revelation” is that the companies weren’t aware they were breached. The heist gave Winnti “unfiltered access” to blueprints, sensitive diagrams and other proprietary data,” said Lior Div, Cybereason chief executive and co-founder.
Winnti has been active since at least 2010 and linked to attacks on dozens of U.S. companies. Cybereason based its conclusions on forensic artifacts of Winnti intrusions, the company said.
Additional findings from the research include:
“The security vulnerabilities that are most commonly found in campaigns such as Operation CuckooBees are exploited because of unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts and lacking multi-factor authentication products,” said Div. “Although these vulnerabilities may seem easy to fix, day-to-day security is complex and it’s not always easy to implement mitigations at a grand scale. Defenders should follow MITRE and/or similar frameworks in order to make sure that they have the right visibility, detection and remediation capabilities in place to protect their most critical assets,” he said.
