An extensive espionage campaign targeting telecom operators in an Asian country has been ongoing since at least 2021. Attackers have used sophisticated tools linked to Chinese hacking groups, raising concerns about the security of critical telecom infrastructure. To gain deeper insights into the breach, refer to the detailed report published by Symantec.
Targets and Tactics
The attackers installed backdoors on the networks of targeted companies and attempted to steal credentials. Symantec’s analysis reveals that the primary targets were telecom companies, a telecom services firm, and a university in another Asian country. The campaign utilized various custom malware, including Coolclient, Quickheal, and Rainy Day, each associated with different Chinese espionage groups.
Tools and Techniques
Coolclient, deployed by the Fireant group (known as Mustang Panda), is designed to log keystrokes, manipulate files, and communicate with a command and control server. Quickheal, linked to the Needleminer group (also known as RedFoxtrot), communicates with a hardcoded command and control server over a custom protocol disguised as SSL traffic. Rainy Day, used by the Firefly group (also known as Naikon), typically executes through a loader that decrypts payloads from external files.
In addition to these backdoors, the attackers employed keylogging malware, port scanning tools, credential dumping techniques, and the Responder tool for LLMNR/NBT-NS/mDNS poisoning. These methods facilitated Remote Desktop Protocol (RDP) access on compromised systems. The tools utilized indicate strong links to multiple Chinese espionage groups.
Uncertainty and Motives
Whether this campaign involves multiple actors operating independently, a single actor using shared tools and personnel, or a collaborative effort remains unclear. The ultimate motive behind these attacks is also uncertain. Potential objectives may include intelligence gathering on the telecom sector, eavesdropping, or establishing a disruptive capability against the country’s critical infrastructure.
Comparing this information with previously published reports, it’s evident that Chinese state-sponsored hacking groups have consistently targeted sensitive industries like telecommunications. Earlier instances of similar espionage activities have also shown the deployment of sophisticated malware and advanced threat techniques to breach and maintain long-term access to targeted systems.
Previous incidents have demonstrated that these attacks are not isolated events but part of a broader strategy to infiltrate and exploit critical sectors. The use of identical or near-identical malware variants in different campaigns indicates a level of persistence and resourcefulness among these groups, suggesting well-coordinated efforts to maintain access and gather intelligence.
The espionage campaign underscores the persistent threat posed by Chinese state-sponsored hacking against key industries. Organizations are strongly advised to enhance their monitoring for signs of compromise and ensure robust defenses to protect against these sophisticated espionage campaigns. Advanced threat detection, regular security assessments, and staff training on cybersecurity best practices are essential measures to safeguard sensitive data and infrastructure.
