U.S. intelligence allegedly utilized a Microsoft Exchange zero-day vulnerability to pilfer critical military data, as per China's claim.
=======================================================================
Recent reports suggest that US intelligence agencies may have been involved in a long-term cyber espionage campaign against major Chinese military and defense-related enterprises [2][3][4]. China has publicly accused the US of using a zero-day vulnerability in Microsoft Exchange to steal sensitive defense data and gain control over more than 50 targets within these companies.
Independent cybersecurity research has uncovered an advanced persistent threat (APT) group known as NightEagle (APT-Q-95), which has been operating since 2023. This group has leveraged the Microsoft Exchange zero-day exploit to penetrate high-tech sectors in China, including military, AI, quantum tech, and semiconductors. NightEagle uses a modified open-source penetration tool (Chisel) to maintain persistent network access and conduct espionage via compromised Microsoft Exchange servers [1].
Key points regarding this cyber espionage campaign include:
- The zero-day exploit targeted Microsoft Exchange servers widely used in government and defense sectors within China [1].
- NightEagle displays rapid infrastructure changes and high operational tempo, consistent with a sophisticated state-backed actor [1].
- The attack vectors enabled remote intranet penetration through modified tools, suggesting deep network infiltration capabilities [1].
- China’s official cybersecurity sources have explicitly blamed US-linked actors for exploiting Microsoft Exchange vulnerabilities to compromise defense companies [2][3][4].
- Microsoft has responded by patching the exploited vulnerabilities and continues to investigate these advanced intrusions [1].
It is important to distinguish this Microsoft Exchange zero-day espionage from the recent Microsoft SharePoint hack, which targeted a US nuclear weapons agency but was attributed to Chinese state-sponsored hackers, showcasing a broader cyber conflict between the two countries [5].
In addition to the Microsoft Exchange zero-day exploit, there have been reports of a second attack where Americans exploited bugs in electronic file systems between July and November 2024 to compromise a Chinese military-industrial enterprise in the communications and satellite internet sectors. The attack targeted emails from 11 people, including senior execs at the defense company, and allegedly stole design plans and detailed system information related to Chinese military products [6].
The CNCERT/CC alert does not name any specific organizations that American intelligence allegedly compromised, nor does it specify any specific vulnerabilities that were abused. Similarly, the alert does not name any specific organizations that American intelligence allegedly compromised in the second attack.
The intruders used WebSocket communication within an SSH tunnel to remotely access one of the company's external servers. The attackers gained control of the enterprise's domain controller server and used it to control over 50 critical devices within the intranet [6].
During the same time period, more than 40 cyberattacks were launched by Americans using IP addresses from multiple countries, including Germany, Finland, South Korea, and Singapore [6].
Earlier this week, SentinelLabs' security researchers uncovered more than a dozen patents for offensive cybersecurity tools filed by Chinese companies allegedly tied to Beijing's Silk Typhoon espionage crew [7].
As the cyber conflict between the US and China continues to evolve, it is crucial for both nations to prioritise transparency and cooperation in order to maintain global cybersecurity and stability.
- The cyber espionage campaign against major Chinese enterprises, alleged to be conducted by US intelligence agencies, has been linked to a zero-day vulnerability in Microsoft Exchange, which was exploited by an advanced persistent threat group known as NightEagle (APT-Q-95) [1].
- Involved in this campaign, NightEagle has demonstrated the ability to infiltrate high-tech sectors, including military, AI, quantum tech, and semiconductors, by leveraging the Microsoft Exchange zero-day exploit and using a modified open-source penetration tool called Chisel [1].
- Apart from the Microsoft Exchange zero-day espionage, reports have emerged of a second attack where Americans exploited bugs in electronic file systems between July and November 2024, targeting a Chinese military-industrial enterprise in the communications and satellite internet sectors [6].
- In this second attack, emails from 11 senior execs at the defense company were compromised, allegedly resulting in the theft of design plans and detailed system information related to Chinese military products [6].
- With cyber conflicts between the US and China escalating, the importance of transparency and cooperation to maintain global cybersecurity and stability becomes increasingly crucial [7].
