Cicada Hacking Group Attacks Sectors Using ZeroLogon


A group of hackers known by several names has been found conducting a worldwide campaign against various industries using the ZeroLogon vulnerability, ZDNet reported. It has been targeting companies in the pharmaceutical, engineering, automotive, and MSP sectors.

The group, known as Cicada, APT10, Stone Panda, and Cloud Hopper, was discovered by Symantec researchers to be attacking various companies and subsidiaries in various regions and industries.


The Symantec team found that the attacks have been on-going since October 2019 and were sustained until October 2020, at the very least.

Cicada Hacking Group Attacks Using ZeroLogon

The researchers noted that the group may have significant resources with different tools and techniques. It is known to use DLL side-loading, network reconnaissance, credential stealing and exfiltration of stolen info, and many more.


The hackers were discovered back in 2009 and are thought to be sponsored by the Chinese government. According to the Bank of Security, it is linked to China’s Ministry of State Security. It has attacked various organizations in Japan and conducting cyberespionage.

One significant tool used by the group recently is one that can exploit the ZeroLogon vulnerability in domains. This security flaw, also known as CVE-2020-1472 was given a score of 10. Microsoft promptly announced this bug and issued a fix in August.

The flaw gives attackers a way to spoof domain controller accounts to takeover domains. It is also known to compromise Active Directory identity services.

The group also deployed a malware called Backdoor.Hartip. This customized malware has not been observed in the past in connection to the APT.

The Symantec report said, “The amount of time the attackers spent on the networks of victims varied, with the attackers spending a significant amount of time on the networks of some victims while spending just days on other victim networks.”

It added, “in some cases, too, the attackers spent some time on a network but then the activity would cease, but start again some months later.”

Regarding the veracity of attributing the attack to Cicada, the report assessed the incident with “medium” confidence based on certain clues. This includes the use of DLL side-loading and DLL names such as “FunckYouAnti,” which are associated with the group.

The campaign also uses tools such as QuasarRAT and Backdoor.Hartip, which were both used by the Cicada in the past.

Symantec noted, “Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous.”