Chinese Cyber Espionage Campaign Targets Telecom Operators in Asia

June 20, 2024

Chinese cyber espionage groups have been connected to an ongoing campaign that has breached several telecom operators in a specific Asian country since at least 2021. These groups have reportedly installed backdoors on the networks of the targeted companies and attempted to steal credentials, according to a report from the Symantec Threat Hunter Team, a part of Broadcom. The cybersecurity firm did not disclose the targeted country, but suggested that the malicious cyber activities might have commenced as early as 2020.

The campaign also extended its reach to a services company that serves the telecoms sector and a university in another Asian country. The tools used in this campaign bear similarities to those used by Chinese espionage groups such as Mustang Panda, RedFoxtrot, and Naikon in recent years. These tools, tracked as COOLCLIENT, QuickHeal, and RainyDay, are equipped with capabilities to capture sensitive data and establish communication with a command-and-control server.

The initial access pathway used to breach the targets is currently unknown. However, the campaign stands out for its use of port scanning tools and credential theft through the dumping of Windows Registry hives. The connection of the tooling to three different adversarial groups raises several possibilities. These include the possibility of the attacks being conducted independently, a single threat actor using tools acquired from other groups, or diverse actors collaborating on a single campaign.

The primary motive behind the intrusions remains unclear. However, Chinese threat actors have a history of targeting the telecoms sector globally. In November 2023, Kaspersky exposed a ShadowPad malware campaign targeting a national telecom company in Pakistan by exploiting known security flaws in Microsoft Exchange Server (CVE-2021-26855, also known as ProxyLogon). Symantec suggested that the attackers might have been gathering intelligence on the telecoms sector in the targeted country. Other possibilities include eavesdropping or building a disruptive capability against critical infrastructure in the targeted country.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.