Stealthy cyber spies linked to China compromising virtualization software globally

A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia.

The hackers are targeting VMware ESXi hypervisors, a type of software that controls and hosts virtual machines for enterprise networks. They are using custom tools that grant persistent access while evading detection by standard security measures such as endpoint detection and response (EDR) systems.

Sygnia is tracking the campaign under the name Fire Ant, which shares similarities with UNC3886, based on what its regional head of incident response described as “unique” engagements.

It follows UNC3886’s spying activities being highlighted by Singapore’s national security minister, Kasiviswanathan Shanmugam, who said the group was behind a series of incidents affecting the country's critical national infrastructure.

“The intent of this threat actor in attacking Singapore is quite clear. It is going after high value strategic threat targets, vital infrastructure that deliver essential services,” Shanmugam said. While Singapore’s government did not explicitly name China, the Chinese embassy responded by rejecting the allegations as “groundless smears and accusations.”

Yoav Mazor, Sygnia’s head of incident response for Asia Pacific and Japan — who is himself based in Singapore — told Recorded Future News that the company’s report was not based on the specific entities the minister mentioned, but considered its research on Fire Ant to “definitely correlate” with the campaign Shanmugam complained about.

Analysts believe both the hacking is likely state-sponsored due to their stealth and sophistication of the operators, and the material being targeted. Last year, Google described UNC3886 as “sophisticated, cautious, and evasive”and warned it was attempting to compromise “prominent strategic organizations on a global scale.”

The company also linked UNC3886 to a campaign last year to deploy custom backdoors on compromised Juniper Network routers, stating it appeared to be “focused mainly on defense, technology, and telecommunication organizations located in the US and Asia.” The group had previously been linked to compromises discovered in Fortinet and VMware systems for the sake of spying on defense, government, tech and telecom organizations.

The attackers are “definitely” pursuing strategic intelligence, said Mazor, who added that Sygnia published its technical report to highlight the severe global risk posed by hypervisor-level intrusions. He emphasized that Fire Ant's operations extended well beyond Asia Pacific.

Mazor described the multiple engagements that Sygnia had worked on as unique. 

“Usually in a forensic investigation, we’re investigating things that have already happened and the main job is to investigate, to fix what needs to be fixed, and then move on,” he said.

“In these specific incidents, once we already understood the threat actor, there was the operational task of actually getting them out. Eradication was a lengthy process. While we were working on closing a specific entry vector, the threat actor was leveraging another entry vector to establish new ones,” he said.

They became more operational engagements, including tracking what the threat actor was doing while they were doing it in order to be able to eventually evict them from the network.

“A lot of times, when we know the threat actor sees us try to eradicate them, they might hold back and come back later. Here it didn’t seem like the threat actor was necessarily holding back. They did change tools, they did at some point use tools that we hadn’t seen before, but it definitely looked like they were there for the operational race.”