An ongoing campaign carried out by Cyber espionage groups affiliated with China has recently targeted telecom operators in a particular Asian country starting from at least the year 2021.
There’s more to the attackers’ modus operandi that the Symantec Threat Hunter Team, a division of Broadcom, described in a report that THN has sight of: “The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials,”
Although the cybersecurity firm conducts the targeting country, it noted that there might be some clues suggesting that the malicious cyber activity could have started in the year 2020.
The attacks also extended to an unnamed services company catering to the telecom sector and a university in another Asian country, according to the report.
The tools used in this campaign overlap with those employed by other Chinese espionage groups such as Mustang Panda (aka Earth Preta and Fireant), RedFoxtrot (aka Needleminer and Nomad Panda), and Naikon (aka Firefly) in recent years.
These tools include custom backdoors known as COOLCLIENT, QUICKHEAL, and RainyDay, which have capabilities to capture sensitive data and establish communication with a command-and-control (C2) server.
Although the exact method used to initially breach the targets remains unknown, the campaign is notable for deploying port scanning tools and stealing credentials by dumping Windows Registry hives.
The connection of these tools to three different adversarial collectives raises several possibilities: the attacks may be conducted independently, a single threat actor could be using tools acquired from other groups, or multiple actors might be collaborating on a single campaign.
The primary motive behind these intrusions is still unclear, although Chinese threat actors have a history of targeting the telecom sector globally.
In November 2023, Kaspersky learned about a malware attack of the ShadowPad type against a national telecom company in Pakistan. Neglecting adequate security measures the attackers leveraged preexisting security concerns in Microsoft Exchange Server (CVE-2021-26855, also called ProxyLogon).
The attackers might have been profiling the telecoms sector of that country to deduce their level of tactical readiness in the event of an attack, Symantec speculated. Another possibility could be Eavesdropping While the attackers may have been trying to target other accounts, they could have been trying to establish a spoof capability against critical infrastructures in that country.
