McAfee Enterprise discovers forensic evidence on 'Operation Harvest' – a multi-year data exfiltration campaign
On Wednesday, 15 September, McAfee Enterprise‘s Advanced Threat Research (ATR) team published a forensic analysis on 'Operation Harvest’ – a prolonged data exfiltration campaign where an adversary maintained access for multiple years to capture network data. Working with Professional Services IR team on a case that started as a malware incident, they discovered the attack ultimately turned out to be a long-term cyber attack linked to nation-state cyber offensive activity.
From a cyber intelligence perspective, ATR provides deep insight to this long-term campaign that maps out findings on entry, affiliation and motive against the Enterprise MITRE ATT&CK model. The telemetry supports findings that:
- At entry: Forensic investigations identified that the actor established initial access by compromising the victim’s web server that held software to maintain the presence and storage of tools used to gather information about the victim’s network and lateral movement/execution of files.
- Affiliation: The adversaries made use of techniques very often observed in this kind of attack, but also used distinctive new backdoors or variants of existing malware families, almost identical to methods attributed to the Winnti malware family between the operating method of unique encryption function in the custom backdoor and the code used in the DLL.
- Motive: The analysis suggests the adversary was interested in stealing proprietary intelligence that could be used for military or intellectual property/manufacturing purposes.
Artefactually, the McAfee Enterprise team asserts this operation was executed by an experienced APT actor whose long-term objectives are persistence in their victims’ networks and acquiring intelligence needed to make political/strategic or manufacturing decisions.
Interested in reviewing the research containing evidence on why the data was exfiltrated and visuals on the behaviour of the malware actors under embargo?
Please let me know if you’d like to speak to a McAfee Enterprise threat researcher or have any questions about the malware operation.
Please click here to view the McAfee Enterprise Operation Harvest Defender analysis.