Hackers Turn Dozens of Universities into a Cyber Espionage Proving Ground
Universities are thinking about their students' future, but their present has already been rewritten.
Universities are thinking about their students' future, but their present has already been rewritten.
Researchers from Ctrl-Alt-Int3l have published a detailed analysis of a large-scale operation targeting universities in Vietnam. The analysis was based on open directories where the threat actors mistakenly left a whole array of data, including management server configurations, command logs, and even source code of the compromised systems. This mistake allowed for a detailed reconstruction of the attack's progression and revealed the attackers' methods.
According to the gathered information, this is the work of a Chinese group that established a persistent presence in at least 25 universities. Initial access to the networks was gained by exploiting web application vulnerabilities, SQL injections, and deserialization in Telerik UI (CVE-2019-18935). To maintain access, they used Godzilla and ByPassGodzilla web shells uploaded to IIS servers, and also created service accounts with simple passwords. Cobalt Strike and VShell were installed on compromised hosts, providing a dual command-and-control (C2) channel and allowing for a combination of different remote control methods.
The .bash_history logs, which stored the operators' commands, were of particular interest: installation of Chinese language packs, certificate generation, launching Cobalt Strike and Fast Reverse Proxy servers, and downloading Metasploit. Experts were able to set up a copy of the Cobalt Strike server in a controlled environment and gain access to complete victim lists, their IP addresses, and activity logs. In total, 63 workstations with installed beacons were discovered, with the first test beacon registered from a Chinese IP address, further pointing to the operation's origin.
For lateral movement within the networks, the attackers used both standard Windows utilities (net, nltest, schtasks) and specific Chinese tools like fscan. The use of exploits for local privilege escalation was documented, including CVE-2024-30088, CVE-2023-28252, CVE-2020-0796 (SMBGhost), and others. Logs confirmed the use of AppxPotato, GodPotato, and JuicyPotato. Furthermore, the attackers modified system settings to evade antivirus software: they disabled login auditing, changed RDP ports, added exclusions to Windows Defender, stopped processes of the Bkav antivirus, and cleared event logs.
Significant attention was paid to traffic tunneling. They used FRP (Fast Reverse Proxy) and third-party clients to forward RDP through external servers on non-standard ports. Custom PowerShell scripts performing TCP session redirection were also discovered. C2 was maintained through domains disguised as legitimate ones, such as micrcs.microsoft-defend[.]club and microsoft-symantec[.]art, operating behind Cloudflare protection.
Notably, VShell was used to deploy the SNOWLIGHT loader in both Windows and Linux environments. This module, previously described by Google and Eclecticiq, facilitates the installation of additional payload stages and uses XOR encryption for its traffic. Its use, combined with web shells and plugins (mimikatz, fscan, gost, and others), allowed the threat actors to deeply embed themselves into the universities' infrastructure.
Attribution is based on a combination of factors: the use of Chinese Red Team tools like Tas9er, a characteristic style of comments and configurations, the use of Chinese forums for software distribution, and infrastructure traces leading to Chinese providers. The methods and choice of victims align with the activities of the known group Earth Lamia, previously described by Trend Micro. The campaign's goal was not quick financial gain but long-term presence and gathering intelligence on Vietnam's scientific and engineering research.
The overall picture demonstrates that the operators built a comprehensive defense system: multiple C2 channels, web shells, scheduled tasks, tunnels, and created user accounts. This multi-layered approach allowed them to maintain control even if some attack traces were removed and complicated the task for defenders.
