Pierluigi Paganini August 03, 2021

China linked APT groups have targeted networks of at least five major telecommunications companies operating in Southeast Asia since 2017.

Cybereason researchers identified three clusters of activity associated with China-linked threat actors that carried out a series of attacks against networks of at least five major telecommunications companies located in South Asia since 2017.

“The goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers,” states the report published by Cybereason.

The three clusters were linked to the China-linked APT groups tracked as Soft Cell (aka Gallium), Naikon APT (aka APT30 or Lotus Panda), and TG-3390 (aka APT27 or Emissary Panda).

Below are the details of each cluster:

• Cluster A: Operated by Soft Cell, the activity associated with this cluster started in 2018 and continued through Q1 2021.
• Cluster B: Operated by the Naikon APT, the activity associated with this cluster was first observed in Q4 2020 and continued through Q1 2021.
• Cluster C: It was classified by Cybereason as a “mini-cluster” with a unique OWA backdoor that was deployed by cyberspies across multiple Microsoft Exchange and IIS servers. The analysis of the backdoor shows many similarities with a known backdoor, tracked as Iron Tiger, employed in campaigns conducted by the Group-3390 (APT27 / Emissary Panda). The activity related to this cluster was observed between 2017 and Q1 2021.

The attackers spent a significant effort to avoid detection, like the HAFNIUM attacks, the threat actors exploited the ProxyLogon vulnerabilities affecting Microsoft Exchange Servers to gain access to the targeted networks.

“They then proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems which contain highly sensitive information like Call Detail Record (CDR) data, allowing them access to the sensitive communications of anyone using the affected telecoms’ services.” continues the analysis..

Naikon APT employed a backdoor tracked “Nebulae” that supports common backdoor capabilities, including the ability to collect LogicalDrive information, manipulate files and folders, download and upload files from and to the command-and-control server, list/execute/terminate processes on compromised devices.

Experts found multiple overlaps between the activities of the clusters, below the hypothesis elaborated by the experts:

• One hypothesis is that the clusters represent the work of two or more teams with different sets of expertise (e.g initial access team, foothold, telco-technology specialized team, etc.) all working together and reporting to the same Chinese threat actor. 
• A second hypothesis is that there are two or more Chinese threat actors with different agendas / tasks that are aware of each other’s work and potentially even working in tandem. 
• Another plausible hypothesis is that the clusters are not interconnected and that the threat actors are working independently with no collaboration, or even piggybacking on the access achieved by one of the actors involved. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, China-linked APT)

[adrotate banner=”5″]

[adrotate banner=”13″]