Chinese Cyber Espionage Targets Telecommunications Operators in Asia Since 2021
Since 2021, there has been ongoing infiltration by cyber espionage groups linked to China into multiple telecommunication operators situated in a distinct Asian territory.
A report shared with The Hacker News by the Symantec Threat Hunter Team, under Broadcom, disclosed that the perpetrators introduced unauthorized access points into the networks of the targeted corporations and endeavored to pilfer authentication information.
Although the cybersecurity company did not disclose the specific country that was affected, it indicated that indications suggested the malevolent cyber actions might have commenced as early as 2020.
The assaults additionally took aim at an undisclosed service provider catering to the telecommunications sector, as well as a university in a different Asian nation.
The collection of tools employed in this initiative overlaps with other endeavors carried out by Chinese espionage collectives such as Mustang Panda (also recognized as Earth Preta and Fireant), RedFoxtrot (alternatively known as Neeedleminer and Nomad Panda), and Naikon (commonly known as Firefly) in recent times.
Among these are proprietary infiltration tools identified as COOLCLIENT, QUICKHEAL, and RainyDay, equipped with functionalities to capture confidential data and establish communication channels with a command-and-control (C2) server.
Although the exact method used to breach the targets initially remains unknown, the campaign is distinctive for deploying port scanning utilities and engaging in credential theft through the extraction of Windows Registry hives.
The utilization of tools associated with three varied adversarial factions has led to several hypotheses: The attacks are being independently conducted, a single malevolent entity is utilizing tools obtained from other groups, or diverse actors are cooperating within a singular operation.
The primary motivation behind these infiltrations is currently ambiguous, though Chinese threat actors have a record of targeting the telecommunications industry globally.
In November 2023, Kaspersky disclosed a ShadowPad malware campaign directed at a prominent national telecommunications corporation in Pakistan by exploiting identified vulnerabilities within Microsoft Exchange Server (CVE-2021-26855, also known as ProxyLogon).
“The perpetrators might have been gathering intelligence on the telecommunications sector in that nation,” speculated Symantec. “Eavesdropping presents another potential scenario. Alternatively, the attackers could have been developing a disruptive capability against critical infrastructure in that nation.”
About Author
