Cybereason revealed the discovery of several previously unidentified cyberattack campaigns infiltrating major telecommunications providers across Southeast Asia.
Like the recent SolarWinds and Kaseya attacks, the threat actors first compromised third-party service providers - but in this case, instead of using them to deliver malware through a supply chain attack, the intent was to leverage them to conduct surveillance of their customers' confidential communications.
In the report, titled DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos, multiple clusters of attack activity were identified that have evaded detection since at least 2017 and are assessed to be the work of several prominent Advanced Persistent Threat (APT) groups aligned with the interests of the Chinese government.
Cybereason observed a significant overlap in tactics, techniques, and procedures (TTPs) across the three operations and assessed that the attackers were likely tasked with parallel objectives under the direction of a centralized coordinating body aligned with Chinese state interests.
Cybereason CEO and co-founder Lior Div says the attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organizations that depend on secure communications for conducting business.
“These state-sponsored espionage operations not only negatively impact the telcos’ customers and business partners, but they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region’s stability,” he continued.
Key Findings
Adaptive, persistent, and evasive: The highly adaptive attackers worked diligently to obscure their activity and maintain persistence on the infected systems, dynamically responding to mitigation attempts after having evaded security efforts since at least 2017, an indication that the targets are of great value to the attackers.
Compromise of third parties to reach specific targets: Like the recent SolarWinds and Kaseya attacks, the threat actors first compromised third-party service providers - but in this case instead of using them to deliver malware through a supply chain attack, the intent was to leverage them to conduct surveillance of their customers' confidential communications.
Microsoft Exchange vulnerabilities exploited: Like the HAFNIUM attacks, the threat actors exploited recently disclosed vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks.
They then proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems which contain highly sensitive information like Call Detail Record (CDR) data, allowing them access to the sensitive communications of anyone using the affected telecoms’ services.
High-value espionage targets: Based on previous findings from the Operation Soft Cell Report Cybereason published in 2019, as well as other published analyses of operations conducted by these threat actors, it is assessed that the telecoms were compromised to facilitate espionage against select targets.
These targets are likely to include corporations, political figures, government officials, law enforcement agencies, political activists, and dissident factions of interest to the Chinese government.
Operating in the interest of China: Three distinct clusters of attacks have varying degrees of connection to APT groups Soft Cell, Naikon and Group-3390 -- all known to operate in the interest of the Chinese government.
Overlaps in attacker TTPs across the clusters are evidence of a likely connection between the threat actors, supporting the assessment that each group was tasked with parallel objectives in monitoring the communications of specific high-value targets under the direction of a centralized coordinating body aligned with Chinese state interests.
Potential for broader impact: These attacks compromised telcos primarily in ASEAN countries, but the attacks could be replicated against telcos in other regions.
While the prevailing assessment is that the operations were intended for espionage purposes only, the fact remains that had the attackers decided to change their objectives from espionage to interference, they would have had the ability to disrupt communications for any of the affected telecoms’ customers.
