Hackers linked to China have been conducting a continuous scheme targeting multiple telecom service providers in a particular Asian nation since at least 2021.
“The cyber intruders managed to place hidden access points within the networks of the specific companies while also making efforts to seize login credentials,” cited the Symantec Threat Hunter Team, a division of Broadcom, in a report disclosed to The Hacker News.
Although the cybersecurity organization did not disclose the exact country targeted, it did reveal that there were indications suggesting the malevolent cyber actions could have commenced as early as 2020.
Furthermore, the assaults were also directed at an anonymous service provider catering to the telecommunications industry and a university in a different Asian state, as stated.
The selection of techniques employed in this assault is similar to those used in other operations carried out by Chinese hacking groups such as Mustang Panda (referred to as Earth Preta and Fireant), RedFoxtrot (also known as Neeedleminer and Nomad Panda), and Naikon (also dubbed Firefly) in recent years.
This encompasses tailored access points designated COOLCLIENT, QUICKHEAL, and RainyDay which possess functionalities to collect sensitive data and create a communication channel with a central command-and-control (C2) server.
Although the exact form of initial intrusion method employed to breach the targets remains elusive, the operation is also noteworthy for utilizing port scanning utilities and engaging in login credential theft through the dumping of Windows Registry hives.
The interconnection of the tools used with three distinct adversarial factions has given rise to various scenarios: The attacks might be occurring autonomously, a single threatening entity may be utilizing tools acquired from other groups, or multiple entities may be cooperating in a single cyber mission.
The primary motive behind the incursions remains unclear at this stage, even though Chinese threatening actors have a track record of targeting the telecommunications sector worldwide.
In November 2023, Kaspersky unveiled a ShadowPad malware campaign targeting a national telecom corporation of Pakistan by exploiting known vulnerabilities in the Microsoft Exchange Server (CVE-2021-26855 also referred to as ProxyLogon).
“It is possible the wrongdoers were amassing intelligence on the telecommunications sector in that nation,” theorized Symantec. “Eavesdropping stands as another potentiality. Alternatively, the attackers might have been attempting to construct a disruptive capability against important infrastructures within that territory.”
About Author
