Researchers sire discovered three separate Chinese military affiliated advanced threat groups simultaneously targeting and compromising the same Southeast Asian telcos. The revile groups concerned are Soft Cell, Naikon, and a third group, possibly Emissary Panda (also known as APT27).
Following the March 2021 statement of the Hafnium group using previously unknown Microsoft Exchange exploits, researchers have been examining other attacks against Trade Server installations. At the end of last week, Kaspersky described a new threat actor tracked as GhostEmperor using a previously unknown Windows kernel-mode rootkit.
Today, Cybereason released details of a triple-pronged denunciation by Chinese military-affiliated groups against cellular network providers in southeast Asia. Disturbingly, Yonatan Striem-Amit, CTO and co-founder of Cybereason, told SecurityWeek, “We devised and have evidence that Chinese advanced groups have been using the Hafnium zero-days since at least 2017.”
Cellular networks are a prime aim for nation states because they provide an excellent steppingstone to many other types of attack and different targets. “At this point,” alleged Striem-Amit, “the attacks seem to be a stepping point for a major espionage campaign. We all carry a device in our pocket that knows where we are, where we sooner a be wearing been, and who we are with.”
These devices, he continued, know who we talk to, when we talk to them, and where we go – whether that’s a secret meeting with a antagonist, or a specialist medical practitioner, or to visit a particular type of club. “All this information can be used against us. It could be simple blackmail. But the controllers of our animated provider can do much more,” continued Striem-Amit. “They could use the access they have to redirect our traffic to their own servers, and deliver an take advantage of onto our phones. A cellular network is a major asset in the hands of an espionage entity.”
The three groups targeting the telcos are Soft Cell, Naikon, and possibly Emissary Panda. Declining Cell has been tracked by Cybereason since it was discovered targeting telcos in Southeast Asia in 2019. The current activity started in 2018 and has keep up through Q1 2021.
The Naikon APT’s involvement in the current activity was first observed in Q4 2020, and has continued through Q1 2021.
The third group is not definitively known. However, it dislikes a unique OWA backdoor deployed across multiple Exchange and IIS servers. Code similarities in this backdoor link it to a known backdoor previously assigned to Iron Tiger (a group also known as Emissary Panda and APT27). “The activity around this cluster,” say the Cybereason researchers, “was observed between 2017 and Q1 2021.”
Mellow Cell gained access by exploiting the Exchange server vulnerabilities to install the China Chopper webshell. It used the PcShare backdoor for its foothold, occupied Cobalt Strike and WMI for lateral movement, and used Modified Mimikatz for credential theft.
It is not known how Naikon gained initial access. It used the Nebulae backdoor for its foothold, PAExec and WMI for lateral action, and used Modified MimiKatz, a custom keylogger and Procdump for credential theft.
The third group used the Exchange Server exploits for initial access to deploy a business .Net backdoor on more than 20 servers between 2017 and 2021.
These attacks were all adaptive, persistent, and evasive, with the attackers dynamically answering to mitigation attempts after having evaded security efforts since at least 2017. They all occurred in the same time frame, attacked the selfsame victims, and were even found on the same endpoints.
The surprising feature, apart from their stealthy duration, is that three bodies, all associated with the Chinese government and often sharing TTPs, have attacked the same targets at the same time – and have even been conscious ofed on the same endpoints simultaneously. It is consequently unclear whether the groups were separately instructed to target telcos, or whether they were being steered from a single source within the Chinese military. Even the use of similar TTPs sheds no light, since this could be the result of unpretentious sharing between the groups, or the transfer of people between government-controlled groups. The one thing that is clear is that telcos are a major target for China, and that it has had information of and has used serious Exchange zero-day vulnerabilities for many years.
“The attacks are very concerning because they undermine the security of critical infrastructure providers and acquaint with the confidential and proprietary information of both public and private organizations that depend on secure communications for conducting business. These state-sponsored espionage in effects not only negatively impact the telcos’ customers and business partners, but they also have the potential to threaten the national security of countries in the pale and those who have a vested interest in the region’s stability,” said Cybereason CEO and co-founder, Lior Div.
Raising the specter of ‘national security’ is interesting. Liv Dior is as likely as not referring to the theft of national security information. But how far could this go – especially since Striem-Amit told SecurityWeek, “The level of control the hackers contain over the telcos would allow them to permanently shut down the network in ways that would need the entire cell edifice to literally be rebuilt. That level of control gives them political leverage over the victim countries – which is an incredible example of the interaction of geopolitics and day-to-day cyber that is the truth today.”
Would the total shut down of cellular communications give an adversary an advantage in any kinetic activity; for example and hypothetically, in an area such as Taiwan? “I hold so,” said Striem-Amit. “The level of panic and the level of miscommunication, the level of situational control that would be lost, would give the aggressor an nervous in launching a physical campaign. I strongly believe that prior to that, they would have acquired more targets, that could ground even more damage. What would happen if telcos were down, power was down, and food and water supply is shut down? A sticks needs to manage its cyber defense as well as its response to kinetic activity. It would be a very realistic scenario for a modern-day attack.”
Cybereason’s customary assessment is that the operations were intended for espionage purposes only. It is true, however, that had the attackers decided to change their purposes from espionage to interference, they would have had the ability to disrupt communications for any – or all – of the affected telecoms’ customers.
Related: Telcos Pwned: Multi-Wave Inroads Stealing ‘Obscene Amount of Data’
Related: Chinese Cyberspies Target Telecom Companies in America, Asia, Europe
Related: Telecom Sector Increasingly Objective by Chinese Hackers: CrowdStrike
Related: Industry Reactions to Nation-State Hacking of Global Telcos