US org with ‘significant presence in China’ targeted by hackers, Symantec says

A China-based threat actor likely attacked a large U.S. organization with a significant presence in the country earlier this year, researchers from Symantec said.

The cybersecurity firm did not name the company but said the attack was “likely carried out by a China-based threat actor, since some of the tools used in this attack have been previously associated with Chinese attackers.”

“While it is possible that actual network intrusion occurred earlier, the first evidence of the attacker’s activity dates from April 2024, and this malicious activity continued until August 2024,” Symantec researchers said. 

“The attackers moved laterally across the organization’s network, compromising multiple computers. Some of the machines targeted were Exchange Servers, suggesting the attackers were gathering intelligence by harvesting emails. Exfiltration tools were also deployed, suggesting that targeted data was taken from the organizations.”

The report notes that the same organization was targeted last year by an attacker with links to Daggerfly — a Chinese government-backed hacking group implicated in attacks on organizations in Taiwan, an African telecommunications company and a high-profile international NGO operating in two Chinese provinces.

Active since at least 2012, the group conducts espionage against individuals and government entities in mainland China, Hong Kong, Nigeria, Myanmar, the Philippines, Taiwan and Vietnam.

A file used in the attacks found by Symantec was also previously spotlighted by other security firms in attacks launched by China-based espionage group Crimson Palace against organizations in Southeast Asia. 

Symantec said the attackers used “several legitimate applications to load malware” — including tools made by Google and Apple. 

The first evidence of malicious activity took place on April 11, 2024 but Symantec found activity on two other machines within the organization on June 2. A fourth computer was breached on June 5 and another on June 13.

Several cybersecurity experts said the technical aspects of the report highlighted how modern attackers blend sophisticated tradecraft with everyday business applications to avoid detection.

“The extended duration of this attack highlights a concerning pattern where threat actors methodically gather intelligence and establish persistent access, potentially creating opportunities for future targeted phishing campaigns or sophisticated social engineering attacks,” said Stephen Kowski, Field CTO at SlashNext Email Security. 

“The focus on Exchange servers and email harvesting suggests a strategic intelligence-gathering operation aimed at understanding business relationships, internal communications, and potential leverage points.”