A cyber espionage campaign by Chinese threat actors has targeted multiple telecom operators in an Asian country since at least 2021, with indications that the activity may have begun in 2020.

Description

The attackers have deployed custom backdoors like Coolclient, Quickheal [2] [5] [6], and Rainyday on the networks of targeted companies to steal credentials [2] [3] [4] [5]. In addition to backdoors [2] [5], the attackers have utilized tactics such as keylogging malware, port scanning tools [1] [2] [5], credential theft [1] [2] [3] [4] [5], and enabling RDP to compromise their targets. The attacks have also impacted a services company in the telecom sector and a university in another Asian country [4]. The tools used in the campaign overlap with those associated with Chinese espionage groups Fireant [4], Needleminer [3] [6], and Firefly [3] [6], believed to be operating from China [3]. Firefly may be linked to Unit 78020 (PLA) in the southern theater command’s area of responsibility [3]. The attacks involved custom backdoors with capabilities to capture sensitive data and communicate with a command-and-control server [4]. In a separate incident [4], a ShadowPad malware campaign targeted a national telecom company in Pakistan by exploiting known security flaws in Microsoft Exchange Server [4]. The attackers may have been gathering intelligence on the telecom sector in Pakistan or attempting to build a disruptive capability against critical infrastructure [4]. The motive behind the intrusions is unclear [1] [4] [5], but may involve intelligence gathering or disruptive capabilities against critical infrastructure [1]. The campaign shows similarities to other Chinese espionage groups and highlights the need for enhanced cybersecurity measures among telecom operators [1]. The attackers used port scanning tools and credential theft techniques [1], with the exact initial access pathway remaining unknown [1].

Conclusion

The cyber espionage campaign targeting telecom operators in Asia has significant implications for cybersecurity and national security. It underscores the importance of implementing robust security measures to protect sensitive data and critical infrastructure. Telecom operators must remain vigilant and proactive in defending against sophisticated cyber threats. Collaboration between government agencies, private sector entities, and international partners is essential to effectively combat cyber espionage activities. The evolving threat landscape requires continuous monitoring, threat intelligence sharing, and investment in cybersecurity capabilities to safeguard against future attacks.

References

[1] https://www.vpnranks.com/news/cyber-espionage-hits-asian-telecom-operators/
[2] https://sechub.in/view/2897447
[3] https://symantec-enterprise-blogs.security.com/threat-intelligence/telecoms-espionage-asia
[4] https://thehackernews.com/2024/06/chinese-cyber-espionage-targets-telecom.html
[5] https://securityaffairs.com/164735/apt/china-cyberspies-target-asian-telcos.html
[6] https://cybersecuritynews.com/attacking-telcos-using-espionage/