China-linked hackers target telecommunication providers in the Middle East

Researchers reported that China-linked hackers targeted telecommunication providers in the Middle East in the first quarter of 2023.

In the first quarter of 2023, SentinelLabs researchers spotted the initial phases of attacks against telecommunication providers in the Middle East.

According to the researchers, the activity is part of the Operation Soft Cell that was first reported in June 2019 by Cybereason.

At the time, researchers at Cybereason uncovered the long-running espionage campaign tracked as Operation Soft Cell. Threat actors were targeting telco providers. Tactics, techniques, and procedures, and the type of targets suggest the involvement of a nation-state actor likely linked to Chinese APT10.

Once compromised the networks of telecommunication companies, the attackers aimed at accessing mobile phone users’ call data records.

SentinelLabs linked the recent attacks to a China-linked cyberespionage group in the nexus of Gallium and APT41, but the exact grouping has yet to be determined.

The threat actors employed a new dropper mechanism which is evidence of an ongoing development effort by a highly-motivated threat actor.

“In collaboration with QGroup GmbH, SentinelLabs recently observed initial threat activities targeting the telecommunication sector. We assess it is highly likely that these attacks were conducted by a Chinese cyberespionage actor related to the Operation Soft Cell campaign.” reads the report published by SentinelLabs. “The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy webshells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.”

The threat actors used a custom credential theft malware, tracked as mim221, that implemented a series of Mimikatz modifications on closed-source tooling.

The researchers believe that mim221 is a recent version of an actively maintained credential theft malware that was enhanced by implementing new anti-detection features.

“The use of special-purpose modules that implement a range of advanced techniques shows the threat actors’ dedication to advancing its toolset towards maximum stealth.” reads the analysis published by SentinelLabs. “These techniques include

• in-memory mapping of malicious images to evade EDR API hooks and file-based detections
• surgically terminating Event Log threads instead of the host process to inhibit logging without raising suspicions
• staging a credential theft capability in the LSASS process itself by abusing native Windows capabilities.

The experts observed command execution through webshells on compromised Microsoft Exchange server deployments as initial attack indicators.

“It is worth noting that the attackers’ activities at one of the targets suggested previous knowledge of the environment. We had observed activity at the same target a few months prior, which we attributed to Gallium primarily based on the use of the group’s PingPull backdoor and TTPs.” concludes the report. “Our analysis of mim221 highlights the continuous maintenance and further development of the Chinese espionage malware arsenal. These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, telecommunication providers)