New Espionage Group Exploits Microsoft Exchange Zero-Day Vulnerability to Target Chinese High-Tech Industries

A previously unidentified advanced persistent threat (APT) group, dubbed the “NightEagle Group” or APT-Q-95, has been reportedly exploiting a zero-day vulnerability in Microsoft Exchange to steal sensitive intelligence from China’s military and major technology industries. Detailed by researchers from Qianxin Technology’s RedDrip Team at the recent National Cyber Defence and Security Exhibition and Conference (CYDES) in Malaysia, the group has been active for more than a year, focusing on organizations critical to U.S. interests, including those involved in chip manufacturing and artificial intelligence.

According to the findings, the NightEagle Group managed to siphon off crucial email communications from an undisclosed Chinese entity by taking advantage of an undisclosed flaw in Microsoft Exchange. The researchers noted that this exploitation allowed the group to access “all key target emails,” pointing to a targeted campaign designed to gather intelligence on high-profile targets.

The cyber campaign was exposed when Qianxin’s network tools detected unusual domain name server requests linked to a non-registered domain, which was disguised as a software update. Behind this façade, the group deployed malware based on an open-source tool known as “Chisel,” which established a covert channel to their command-and-control infrastructure. This connection was pivotal for the attackers, as it provided a means to extract sensitive information from the compromised email server.

As the investigation unfolded, the researchers identified that the NightEagle Group operated predominantly during U.S. Pacific time business hours, suggesting that its operatives may be based in North America. While the nature of such operations raises ethical questions regarding state-sponsored cyber activities, Bambenek Consulting’s president John Bambenek confirmed the existence of U.S. agencies concentrating on cyber espionage to support national security interests. The operation underscores the continuous cyber hostilities between nations, highlighting the critical need for improved cybersecurity measures across industries.

The serious implications of these findings call for heightened scrutiny and response strategies to safeguard sensitive information across national and international fronts.