A sophisticated cyberattack campaign, dubbed Operation Digital Eye, has targeted several IT and security companies across Southern Europe. Researchers at SentinelLabs have attributed the attack to a Chinese threat actor leveraging Microsoft technologies to disguise their malicious activities. The campaign appears to focus on supply chain espionage, aiming to exploit the privileged access that IT service providers have to their clients' networks.
Behind the Attack: A Blend of Tactics and Technologies
The attack unfolded over three weeks, from late June to July, and targeted business-to-business (B2B) IT service providers, including cybersecurity vendors and data infrastructure providers. The attackers concealed their operations using everyday tools like Microsoft Visual Studio Code (VS Code) and Azure, while adopting tactics, techniques, and procedures (TTPs) observed in other Chinese cyberattacks.
The campaign began with SQL injection attacks against vulnerable web and database servers. Once inside, the attackers deployed PHP web shells tailored to their targets' environments to avoid detection. These actions enabled reconnaissance, lateral movement, and credential theft within the compromised networks.
The key feature of the attack was a malicious payload disguised as a legitimate Microsoft-signed executable called "code.exe." The attackers brought their own portable version of VS Code, embedding it into the victims' systems to maintain persistent access. By using VS Code's Remote Tunnels feature, they enabled command execution and file editing on remote systems under the guise of a legitimate program.
Exploiting Microsoft Tools for Persistence
VS Code's Remote Tunnels was designed for developers to access and edit code on remote machines, but in this campaign, it became a potent backdoor. The attackers stored the tool in temporary folders and used innocuous file and service names to blend in with normal operations.
Setting up tunneling through VS Code required integrating with GitHub and Azure servers. While it remains unclear whether stolen credentials or attacker-registered accounts were used, the campaign effectively leveraged public cloud infrastructure in Western Europe. This tactic made the malicious traffic appear legitimate and harder for security tools to detect.
SentinelLabs researchers noted that network traffic associated with VS Code and Azure often bypasses close scrutiny due to its widespread use and trust among businesses. This allowed the attackers to evade detection and gain full endpoint access.
Malware and Attribution Challenges
The malware used in Operation Digital Eye included "bK2o.exe," a modified version of the open-source credential-stealing tool Mimikatz. This tool enabled pass-the-hash attacks by capturing NTLM hashes to execute processes within a user’s security context.
Variants of this tool have been seen in previous Chinese cyber campaigns, such as Operations Soft Cell and Tainted Love. SentinelLabs researchers suggest that a shared vendor or supplier may provide such tools to multiple advanced persistent threat (APT) groups, including APT41 and APT10.
Strategic Implications of the Attack
According to SentinelLabs, Southern Europe is a critical region intersecting with China's Belt and Road Initiative. Infrastructure investments, such as Greece’s Port of Piraeus, make the area a strategic target for cyber operations.
Tom Hegel, Principal Threat Researcher at SentinelLabs, highlighted the motivations behind the attack: "Cyber operations in Southern Europe likely aim to protect China's investments, monitor energy transit routes, and gain leverage in global trade and security. Economically, the region offers access to key industries like energy, shipping, and aerospace. Politically, it provides opportunities to influence public sentiment and potentially weaken EU and NATO unity."
The campaign underscores China’s broader strategy to secure competitive advantages, deepen its influence in critical regions, and exploit dependencies to gain leverage in the geopolitical landscape.
The weaponization of Artificial Intelligence (AI) represents a pivotal moment in both cybersecurity and military strategy, reflecting the dual-edged nature
