Three Chinese APT Groups Attack Major Telecommunications Companies

Cybersecurity research team Cybereason Nocturnus discovered three malicious cyber espionage campaigns, as three Chinese APT groups attacked the networks of major telecommunications companies.

The malware campaign, known as DeadRinger, targets companies in Southeast Asia.

According to experts, the attacks were organized by three cybercriminal groups (APTs) allegedly linked to the Chinese government. This conclusion is made based on a comparison of tactics and methods with other well-known Chinese APTs.

In the beginning of 2021, the Cybereason Nocturnus Team investigated clusters of intrusions detected targeting the telecommunications industry across Southeast Asia. During the investigation, three clusters of activity were identified and showed significant connections to known threat actors, all suspected to be operating on behalf of Chinese state interests.Cybereason Nocturnus researchers write.

The first cyber operation is believed to be related to APT Soft Cell. A second operation called Naikon, launched in late 2020, targeted telecommunications companies. According to the researchers, Naikon may be associated with the military bureau of the People’s Liberation Army of China (PLA). The third cyber operation was organized in 2017 by APT27 (also known as Emissary Panda). The criminals used a backdoor to compromise Microsoft Exchange servers.

The hackers’ methods included exploiting vulnerabilities in Microsoft Exchange Server, installing the China Chopper web shell, using Mimikatz to steal credentials, creating Cobalt Strike beacons and backdoors to connect to the C&C server.

In each wave of cyberattacks, criminals have targeted cyber espionage by collecting sensitive information, compromising critical business assets such as billing servers containing Call Detail Record (CDR) data, and key network components such as domain controllers, web servers, and servers. Microsoft Exchange.

Based on our analysis, we assess that the goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers.researchers explain.

In some cases, groups could simultaneously be in the same compromised environment. However, it is unclear if they worked independently or were all under the leadership of a specific group or coordinating headquarter from the government.

Let me remind you that we also talked about how Chinese hackers use a new backdoor to spy on the country’s government from Southeast Asia.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button