Cyber espionage teams related to China have been linked to a long-running marketing campaign that has infiltrated a number of telecom operators situated in a single Asian nation a minimum of since 2021.
“The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials,” the Symantec Risk Hunter Workforce, a part of Broadcom, stated in a report shared with The Hacker Information.
The cybersecurity agency didn’t reveal the nation that was focused, however stated it discovered proof to counsel that the malicious cyber exercise could have began way back to 2020.
The assaults additionally focused an unnamed providers firm that catered to the telecoms sector and a college in one other Asian nation, it added.
The selection of instruments used on this marketing campaign overlaps with different missions carried out by Chinese language espionage teams like Mustang Panda (aka Earth Preta and Fireant), RedFoxtrot (aka Neeedleminer and Nomad Panda), and Naikon (aka Firefly) in recent times.
This consists of customized backdoors tracked as COOLCLIENT, QUICKHEAL, and RainyDay that come geared up with capabilities to seize delicate knowledge and set up communication with a command-and-control (C2) server.
Whereas the precise preliminary entry pathway used to breach the targets is presently unknown, the marketing campaign can also be notable for deploying port scanning instruments and conducting credential theft via the dumping of Home windows Registry hives.
The truth that the tooling has connections to 3 totally different adversarial collectives has raised a number of potentialities: The assaults are being carried out independently of one another, a single risk actor is utilizing instruments acquired from different teams, or various actors are collaborating on a single marketing campaign.
Additionally unclear at this stage is the first motive behind the intrusions, though Chinese language risk actors have a historical past of concentrating on the telecoms sector the world over.
In November 2023, Kaspersky revealed a ShadowPad malware marketing campaign concentrating on one of many nationwide telecom firms of Pakistan by exploiting recognized safety flaws in Microsoft Change Server (CVE-2021-26855 aka ProxyLogon).
“The attackers may have been gathering intelligence on the telecoms sector in that country,” Symantec postulated. “Eavesdropping is another possibility. Alternatively, the attackers may have been attempting to build a disruptive capability against critical infrastructure in that country.”
