Cybereason, a cybersecurity firm, has pinned the blame on China-backed threat actors for a series of "pervasive attacks" on some of the largest telcos in Southeast Asia. Because of their activities, says Cybereason, China has been able conduct cyber espionage against "designated high-profile targets."
The cybersecurity firm further warns that the attackers have access to (and control) of various networks. If they wanted, reckoned Cybereason, China could shut down telecom services to specific people or companies. Some of the attacks have apparently been going on since at least 2017.
"The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organizations that depend on secure communications for conducting business," said Cybereason CEO and Co-Founder Lior Div.
"These state-sponsored espionage operations not only negatively impact the telcos' customers and business partners, they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region's stability."
Named and shamed
The alarming findings were laid out in a new Cybereason report published today, entitled DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos. Following the disclosure of Hafnium attacks targeting Microsoft Exchange vulnerabilities, the "Cybereason Nocturnus" team "proactively hunted" for various threat actors trying to leverage similar techniques.
The team turned its attention to three clusters of intrusions they detected targeting the telecoms industry across Southeast Asia, each of which “showed significant connections” to prominent Advanced Persistent Threat groups aligned with the interests of the Chinese government.
Cybereason determined that "cluster A" was operated by Soft Cell, an activity group in operation since 2012, previously attacking Telcos in multiple regions including Southeast Asia, and which was first discovered by Cybereason in 2019.
"We assess with a high level of confidence that the Soft Cell activity group is operating in the interest of China," said the report. "The activity around this cluster started in 2018 and continued through Q1 2021."
"Cluster B" was assessed by Cybereason to be operated by the Naikon APT threat actor, "a highly active cyber espionage group in operation since 2010 which mainly targets ASEAN countries."
The Naikon APT group was previously attributed to the Chinese People's Liberation Army's (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). The activity around this cluster was first observed in Q4 2020, observed the Cybereason Nocturnus team, and continued through Q1 2021.
"Cluster C," dubbed a "mini-cluster," was found to be characterized by a unique OWA [Outlook Web Application] backdoor that was deployed across multiple Microsoft Exchange and IIS servers.
Want to know more about security? Check out our dedicated security channel here on Light Reading.
Cybereason's analysis of the backdoor showed "significant code similarities" with a previously documented backdoor used in the operation dubbed Iron Tiger, which was attributed to a Chinese threat actor tracked by various researchers as Group-3390. Activity around this cluster was observed between 2017 and Q1 2021.
Based on its analysis of cluster activity, the report's authors starkly conclude that the goal of the attackers behind these intrusions was to "gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets, such as the billing servers that contain call detail record data, as well as key network components, such as the domain controllers, web servers and Microsoft Exchange servers."