Hong Kong gov’t orgs targeted for over a year with Spyder Loader malware: report

Government organizations in Hong Kong were targeted with malware as part of an intelligence-gathering campaign that lasted for more than a year, according to researchers from Symantec. 

Symantec said the campaign was part of the larger “Operation CuckooBees” — an alleged espionage effort by Chinese state-sponsored hackers to steal proprietary information from dozens of global defense, energy, biotech, aerospace and pharmaceutical companies.

Brigid Gorman, senior intelligence analyst with the Symantec Threat Hunter Team, told The Record that the use of the Spyder Loader malware indicated that the goal of the latest campaign was also intelligence gathering and espionage. 

“The victims observed by Symantec in this campaign were all based in Hong Kong. The focused targeting of this campaign on this geographic region is interesting,” Gorman said. 

Operation CuckooBees began in at least 2019, according to research published by Cybereason in May. The campaign involved the theft of “blueprints, diagrams, formulas, and manufacturing-related proprietary data,” Cybereason noted.

But the Spyder Loader malware was first discussed publicly in March 2021 by SonicWall, which said it was being used “for targeted attacks on information storage systems, collecting information about corrupted devices, executing mischievous payloads, coordinating script execution, and C&C server communication.”

“They also stole data that could be leveraged for use in future cyber attacks — such as credentials, customer data, and information about network architecture. Among the tools used in that campaign was the Spyder Loader malware, which is what was also observed in the activity seen by Symantec researchers,” Symantec explained in a report on Tuesday. 

“We saw various variants of Spyder Loader on victim networks, all displaying largely the same functionality. The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed in that time, indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time.”

Cybereason said earlier this year that it briefed the FBI and Justice Department about Operation CuckooBees, tying the campaign to the prolific Winnti Group, also known as APT 41.

Several cybersecurity companies have been tracking Winnti since it emerged in 2010 and experts have noted the hackers to be operating on behalf of Chinese state interests, specializing in cyber-espionage and intellectual property theft.

The Justice Department issued indictments of several alleged members of APT 41 in 2020, noting that the group had hacked more than 100 companies across the world.