China-Linked Cyber-Espionage Teams Target Asian Telecoms

  /     /     /  
Publicated : 23/11/2024   Category : security


China-Linked Cyber-Espionage Teams Target Asian Telecoms


In the latest breaches, threat groups compromised telecommunications firms in at least two Asian nations, installing backdoors and possibly eavesdropping or pre-positioning for a future attack.



At least three cyber-espionage groups have compromised telecommunications operators in multiple countries in the Asia-Pacific region, placing backdoors inside the communications providers networks, stealing credentials, and using custom malware to gain control and compromise other systems, according to analyses published by two cybersecurity firms in the past week.
Tools from a trio of China-linked groups — Fireant, Neeedleminer, and Firefly — were used to compromise telecommunications companies in at least two Asian nations, according to an analysis published by technology giant Broadcoms Symantec cybersecurity division. The groups — also known as Mustang Panda, Nomad Panda, and Naikon, respectively — previously have been associated with widespread attacks against a variety of countries in the Asia-Pacific region.
Attackers see telecommunications companies as a strong launchpad from which to compromise other systems, eavesdrop on communications, or cybercrime, says Dick OBrien, principal threat intelligence analyst for Symantecs threat hunter team.
Theres the potential for eavesdropping and surveillance but also, because telecoms is critical infrastructure, you could create significant disruption in your target country, OBrien says. We think that there is a distinct possibility that the motive for these attacks was similar to what the US government has been repeatedly warning about.
In April, senior US officials warned that China-linked attackers had begun compromising critical infrastructure as a way to
pre-position
their offensive cyber operations for future conflicts. Japan and the Philippines created a trilateral alliance for
sharing information
on cyber threats, especially those from China. The alliance is similar to another trilateral information-sharing agreement between Japan and South Korea.
The attacks come as other Asian nations continue to struggle with increasing cyberattacks. On June 24, Indonesias government acknowledged that cybercriminals had compromised its National Data Center and demanded an $8 million ransom. Rather than pay, the government is trying to recover, but
the attack has disrupted services for more than 200 agencies
.
Taiwan is currently dealing with a spate of attacks by a Chinese state-sponsored group, dubbed RedJuliett, which has attacked 24 different government agencies, educational institutions, and technology firms, threat-intelligence firm Recorded Future stated in
an analysis published on June 24
.
The focus on telecommunications companies is unsurprising: The infrastructure operators are the hub for most traffic on the Internet, making compromising their infrastructure extremely valuable, says Sergey Shykevich, threat intelligence group manager at cybersecurity firm Check Point Software.
The ultimate jackpot for an attacker with access to telecom networks is the CRM database of telco clients, allowing real-time access to SMS messages, locations, and other sensitive information, he says. Disruption of telecommunications companies can definitely be devastating for countries and users, as it happened just several month ago in Ukraine. However, in most instances, I believe the primary objective of targeting telecommunication companies is espionage and the valuable data they possess.
In October 2023, Check Point Research released details of an Iran-linked espionage campaign that had
primarily targeted government agencies and telecommunications providers
.
Another example: Pakistan has become a focus of communications-based attacks, as the quickly digitalization of the country and its geopolitical environment has made it the leading target of reflection-based distributed denial-of-service (DDoS) attacks by a significant margin last year, says Donny Chong, director at Nexusguard, a Singapore-based firm focused on defenses against denial-of-service attacks.
The risk surrounding telecoms is that if you disrupt telecoms infrastructure, you also disrupt a lot of other critical infrastructure, he says. There are other sectors, too, which we frequently see targeted by application and multivector attacks — the tech, finance, banking, and insurance sectors in particular have had a hard time with these attacks.
The attack on the unnamed Asian telecommunications firm included three custom attack tools, executing code in memory to avoid detection, and using legitimate software to load in malicious code — a technique known as sideloading. (Symantec would not name the targeted firms nor the two countries where they were investigating attacks.)
The threat group, or groups, are relatively sophisticated, says Symantecs OBrien.
The fact that most of the payloads run in memory means that they can be difficult to detect, he says. The technique of sideloading using legitimate executables is favored by APT actors, presumably because the legitimate files they leverage are less likely to raise red flags.
The
analysis suggested
that, while the threat groups could be collaborating with one another — say, different arms of the Chinese government working together — other connections are possible, such as different groups using the same tools or a single group using all three tools.
The connections between actors are often complicated. In 2021, a campaign of espionage attacks —
dubbed Stayin Alive
— targeted the telecommunications industry and governments of Vietnam, Uzbekistan, and Kazakhstan, using a simple downloader known as CurKeep. The attackers used the same infrastructure as a group known as
ToddyCat
by cybersecurity firm Kaspersky, which considers the threat actor fairly sophisticated.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
China-Linked Cyber-Espionage Teams Target Asian Telecoms