The National Computer Emergency Response Team of China (CNCERT) has released a detailed report on a cyberattack targeting a Chinese research institute specializing in advanced material development. According to the report, the attack, orchestrated by threat actors from the United States, was meticulously planned and executed using highly sophisticated techniques.
In August 2024, the attackers gained access to the institute’s systems by exploiting a vulnerability in its electronic file storage system, allowing them to steal administrator credentials. Subsequently, they infiltrated the management system, deploying malware that operated exclusively in volatile memory, significantly complicating detection efforts.
Between November and December 2024, the attackers disseminated specialized trojans through the institute’s software update functionality. This resulted in the infection of 276 workstations, from which sensitive data was systematically exfiltrated. The primary targets were trade secrets and intellectual property linked to the institute’s cutting-edge research and development.
A distinctive feature of the attack was its high level of preparation and targeted nature. Prior to each breach attempt, the threat actors identified specific keywords associated with the institute’s activities. The total volume of stolen data amounted to nearly 5 GB, comprising files deemed critical to both scientific research and business operations.
The attacks were predominantly carried out during U.S. business hours, leveraging anonymized IP addresses originating from Germany and Romania. To obscure their activities, the attackers utilized open-source and publicly available tools while avoiding the use of static files on hard drives.
Experts at CNCERT noted that this approach reflects the attackers’ extensive technical resources and high level of coordination. The publication of this report aims to alert other nations and organizations to the risks of similar cyberattacks and to foster enhanced international collaboration in the realm of cybersecurity.
