An ongoing cyber espionage campaign to infiltrate major telecommunications carriers in Southeast Asia is likely tied to the Chinese government, Cybereason researchers said in a new report.
The attackers have launched “multiple clusters” of infiltration and evaded detection since at least 2017, the report, entitled DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos, said. The operation appears to be the handiwork of a number of advanced persistent threat (APT) crews either associated with the Chinese government or backed by the state.
By current assessment, the hackers’ goal extends well beyond gaining and maintaining continuous access to the targeted telecoms. It has the makings of a well-cloaked cyber espionage strafing in that the gangs are zeroed in on stealing high value, sensitive information, compromising the billing servers that contain call detail record data and manipulating domain controllers, web servers and Microsoft Exchange servers, the report said.
As in the highly-covered SolarWinds Orion and Kaseya VSA attacks, the hackers initially penetrated supply chain companies such as managed service providers. But unlike those campaigns, the third-party providers in this case aren’t being used to deliver malware and instead are deployed as a conduit for spying on customers’ confidential communications.
Cybereason identified three different “clusters” of cyber attacks:
- Cluster A: Operated by Soft Cell, a group active since 2012. Previously attacked Telcos in multiple regions including Southeast Asia. Cybereason has a “high level of confidence” that Soft Cell is operating in the interest of China.
- Cluster B: Operated by the Naikon APT threat actor, a highly active cyber espionage group in operation since 2010, which mainly targets ASEAN (Association of Southeast Asian Nations) members. It is said to be backed by the Chinese People’s Liberation Army’s Chengdu Military Region Second Technical Reconnaissance Bureau.
- Cluster C: A mini-cluster characterized by a unique Outlook Web Access backdoor that was deployed across multiple Microsoft Exchange and IIS (Internet Information Services) servers. Code similarities with a previously documented backdoor attributed to a Chinese threat actor Group-3390 (APT27/Emissary Panda) have been identified.
Cybereason researchers identified similarities in tactics, techniques and procedures (TTP) across the three cyber operations, giving them enough evidence to conclude that the groups were probably tasked with “parallel objectives” as directed by a “centralized coordinating body” aligned with Chinese state interests.
Here are the study’s key findings:
- The hackers obscure their activity, evade detection and maintain persistence on the infected systems, constantly changing their response to mitigation attempts.
- The threat actors compromise third-party service providers to execute a supply chain attack and using them to conduct surveillance of their customers' confidential communications.
- The hackers exploited vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks and critical network assets.
- The telecoms were compromised in order to facilitate espionage against select targets, including corporations, political figures, government officials, law enforcement agencies, political activists and dissidents of the Chinese government.
- APT groups Soft Cell, Naikon and Group-3390 involved in the attacks are all known to operate in the interest of the Chinese government. Overlaps in attacker TTPs across the three clusters are evidence of a likely connection between the threat actors.
- While the attacks compromised telcos primarily in ASEAN countries, they could be replicated against telcos in other regions. Had the attackers decided to change their objectives from espionage to interference, they could have disrupted communications for any of the affected telecoms’ customers.
“The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organizations that depend on secure communications for conducting business,” said Lior Div, Cybereason chief executive and co-founder. “These state-sponsored espionage operations not only negatively impact the telcos’ customers and business partners, they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region’s stability,” he said.
The report follows the Biden administration's public rebuke of China’s Ministry of State Security for the recent Hafnium attacks that exploited vulnerabilities in unpatched Microsoft Exchange Servers.