A
previously
unknown
threat
actor
is
targeting
telecommunications
companies
in
the
Middle
East
in
what
appears
to
be
a
cyber-espionage
campaign
similar
to
many
that
have
hit
telecom
organizations
in
multiple
countries
in
recent
years.
Researchers
from
SentinelOne
who
spotted
the
new
campaign
said
they’re tracking
it
as
WIP26,
a
designation
the
company
uses
for
activity
it
has
not
been
able
to
attribute
to
any
specific
cyberattack
group.
In
a
report
this
week,
they
noted
that
they had
observed
WIP26
using
public
cloud
infrastructure
to
deliver
malware
and
store
exfiltrated
data,
as
well
as
for
command-and-control
(C2)
purposes.
The
security
vendor
assessed
that
the
threat
actor
is
using
the
tactic
—
like
many
others
do
these
days
—
to
evade
detection
and
make
its
activity
harder
to
spot
on
compromised
networks.
“The
WIP26
activity
is
a
relevant
example
of
threat
actors
continuously
innovating
their
TTPs
[tactics,
techniques
and
procedures]
in
an
attempt
to
stay
stealthy
and
circumvent
defenses,”
the
company
said.
Targeted
Mideast
Telecom
Attacks
The
attacks
that
SentinelOne
observed
usually
began
with
WhatsApp
messages
directed
at
specific
individuals
within
target
telecom
companies
in
the
Middle
East.
The
messages
contained
a
link
to
an
archive
file
in
Dropbox
that
purported
to
contain
documents
on
poverty-related
topics
pertinent
to
the
region.
But
in
reality,
it
also
included
a
malware
loader.
Users
tricked
into
clicking
on
the
link
ended
up
having
two
backdoors
installed
on
their
devices.
SentinelOne
found
one
of
them,
tracked
as
CMD365,
using
a
Microsoft
365
Mail
client
as
its
C2,
and
the
second
backdoor,
dubbed
CMDEmber,
using
a
Google
Firebase
instance
for
the
same
purpose.
The
security
vendor
described
WIP26
as
using
the
backdoors
to
conduct
reconnaissance,
elevate
privileges,
deploy
addition
malware
—
and
to
steal
the
user’s
private
browser
data,
information
on
high-value
systems
on
the
victim’s
network,
and
other
data.
SentinelOne
assessed
that
a
lot
of
the
data
that
both
backdoors
have
been
collecting
from
victim
systems
and
network
suggest
the
attacker
is
prepping
for
a
future
attack.
“The
initial
intrusion
vector
we
observed
involved
precision
targeting,”
SentinelOne
said.
“Further,
the
targeting
of
telecommunication
providers
in
the
Middle
East
suggests
the
motive
behind
this
activity
is
espionage-related.”
Telecom
Companies
Continue
to
Be
Favorite
Espionage
Targets
WIP26
is
one
of
many
threat
actors
that
have
targeted
telecom
companies
over
the
past
few
years.
Some
of
the
more
recent
examples
—
like
a
series
of
attacks
on
Australian
telecom
companies
such
as
Optus,
Telestra,
and
Dialog —
were
financially
motivated.
Security
experts
have
pointed
to
those
attacks
as
a
sign
of
increased
interest
in
telecom
companies
among
cybercriminals
looking
to
steal
customer
data,
or
to
hijack
mobile
devices
via
so-called
SIM
swapping
schemes.
More
often
though,
cyberespionage
and
surveillance
have
been
primary
motivations
for
attacks
on
telecommunications
providers.
Security
vendors
have
reported
several
campaigns
where
advanced
persistent
threat
groups
from
countries
like
China,
Turkey,
and
Iran
have
broken
into
a
communication
provider’s
network
so
they
could
spy
on
individuals
and
groups
of
interest
to
their
respective
governments.
One
example
is
Operation
Soft
Cell,
where
a
China-based
group
broke
into
the
networks
of
major
telecommunications
companies
around
the
world
to
steal
call
data
records
so
they
could
track
specific
individuals.
In
another
campaign,
a
threat
actor
tracked
as
Light
Basin
stole
Mobile
Subscriber
Identity
(IMSI)
and
metadata
from
the
networks
of
13
major
carriers.
As
part
of
the
campaign,
the
threat
actor
installed
malware
on
the
carrier
networks
that
that
allowed
it
to
intercept
calls,
text
messages,
and
call
records
of
targeted
individuals.
About Author
