The attackers' primary goal appears to be obtaining domain administrator credentials and gaining access to a system where intellectual property is stored, according to Symantec. The attackers' behavior has varied slightly with each compromise, but once the intellectual property is found, they copy the contents to a handful of internal systems that have been designated as a staging area. The data is then uploaded to a remote server, which was traced to a virtual private server (VPS) in the United States and owned by a “20-something male located in the Hebei region in China,†according to Symantec.
