Cybersecurity solutions provider Cybereason has revealed that Chinese threat actors were responsible for several previously unidentified cyberattack campaigns infiltrating major telecommunications providers (telcos) across Southeast Asia.
It has identified three distinct clusters of attacks that have evaded detection since at least 2017. The clusters were found to have varying degrees of connection to Advanced Persistent Threat (APT) groups Soft Cell, Naikon and Group-3390 — all known to operate in the interest of the Chinese government.
Cybereason observed overlaps in attacker tactics, techniques, and procedures across the clusters, which indicates a likely connection between the threat actors. This supports the assessment that each group was tasked with parallel objectives in monitoring the communications of specific high-value targets under the direction of a centralised coordinating body aligned with Chinese state interests.
Although the prevailing assessment is that the operations were only intended for espionage purposes, the fact remains that had the attackers decided to change their objectives from espionage to interference, they would have had the ability to disrupt communications for any of the affected telco’s customers.
See also: Ransomware: The growing threat to Asia Pacific's economic recovery
“The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organisations that depend on secure communications for conducting business,” says Cybereason CEO and co-founder Lior Div.
“These state-sponsored espionage operations not only negatively impact the telcos’ customers and business partners, they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region’s stability,” he adds.
Other key findings from Cybereason’s DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos report include:
- High-value espionage targets
Telcos were compromised in order to facilitate espionage against select targets. These targets are likely to include corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government. - Attackers were adaptive, persistent and evasive
The highly adaptive attackers worked diligently to obscure their activity and maintain persistence on the infected systems. They dynamically respond to mitigation attempts after having evaded security efforts since at least 2017, an indication that the targets are of great value to the attackers. - Threat actors compromised third parties to reach specific targets
Similar to the recent SolarWinds and Kaseya attacks, the threat actors first compromised third-party service providers. However, instead of using them to deliver malware through a supply chain attack, the intent was to leverage them to conduct surveillance of their customers' confidential communications. - Microsoft Exchange vulnerabilities exploited
Similar to the HAFNIUM attacks, the threat actors exploited recently disclosed vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks. They then proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems, which contain highly sensitive information like Call Detail Record (CDR) data. This enabled them to access the sensitive communications of anyone using the affected telcos’ services.
Cybereason’s recent report comes on the heels of the Biden administration's public rebuke of China’s Ministry of State Security for the recent HAFNIUM attacks that exploited vulnerabilities in unpatched Microsoft Exchange Servers and put thousands of organisations worldwide at risk.
The exploitation of these same vulnerabilities was central to the success of the attacks detailed in the research.
Photo by Clint Patterson on Unsplash
