Researchers have unveiled a massive piracy campaign that uses sophisticated tools and techniques to penetrate global corporate networks.
The hackers belong to a well-known group funded by the Chinese government, and they are equipped with ready-made and special tools.
One such tool exploits Zerologon, the name given to a Windows server vulnerability that was patched in August, and could give attackers administrator privileges within vulnerable systems.
Symantec is using the codename Cicada for the group, which is widely believed to be funded by the Chinese government.
The group also holds the titles APT10, Stone Panda and Cloud Hopper from other research organizations.
The group has been active in piracy and espionage since at least 2009, and it exclusively targets companies linked to Japan.
The companies targeted in the recent campaign are in the United States and other countries, but all of those companies have ties to Japan or Japanese companies.
The researchers said: The organizations associated with Japan must be on alert, as it is clear that they are a major target of this sophisticated group, and the auto industry appears to be a major target in this attack campaign.
They added: With a wide range of industries targeted by these attacks, Japanese organizations in all sectors must realize that they are at risk of this type of activity.
The attacks widely use sideloading of DLL files, a technique that occurs when attackers replace a legitimate Windows DLL file with a malicious one.
Attackers use this technology to introduce malware into legitimate operations so that they can prevent security software from detecting the breach.
The campaign also uses a tool capable of exploiting the Netlogon protocol, which Windows servers use to allow users to log into networks.
People without authentication can use the Netlogon protocol to access Active Directory domain controllers, which protect all devices on the network.
Microsoft corrected a serious privilege escalation vulnerability in August, but the vulnerability is still used to hack organizations that have not yet installed the update.
The FBI and Department of Homeland Security urged companies and organizations to repair the affected systems.
Among the devices that were compromised during the attacks discovered by Symantec were Active Directory domain controllers and file servers.
The targets encompass a variety of industries, including automobiles, with car manufacturers and companies supplying parts being targeted as well, indicating that this is a sector of great importance to attackers.
Other industries targeted include clothing, electronics, engineering, general trading companies, industrial products, and pharmaceuticals.
Symantec linked the attacks to the Cicada group, based on the digital fingerprints found in the malware and the attack code against global companies.