Chinese threat actors compromising telecoms, report warns

Cybereason has revealed its discovery of several previously unidentified cyber-attack campaigns infiltrating major telecommunications providers across Southeast Asia.

In the report, titled ‘DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos‘, multiple clusters of attack activity were identified and are assessed to be the work of several prominent ‘Advanced Persistent Threat’ (APT) groups aligned with the interests of the Chinese government.

Similar to the recent ‘SolarWinds’ and ‘Kaseya’ attacks, the threat actors first compromised third-party service providers, but instead of using them to deliver malware through a supply chain attack, the intent was to leverage them to conduct surveillance of their customers’ confidential communications.

The report found that the attackers were highly adaptive and worked diligently to obscure their activity and maintain persistence on the infected systems, dynamically responding to mitigation attempts and continuing to evade security efforts since at least 2017 – an indication that the targets are of great value to the attackers.

Exploiting vulnerabilities in Microsoft Exchange Servers, the threat actors were able to gain access to the targeted networks, from where they proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems containing highly sensitive information such as ‘Call Detail Record’ (CDR) data, allowing them access to the sensitive communications of anyone using the affected telecoms services.

It is thought that the telecoms companies were likely compromised in order to facilitate espionage against specific targets, such as corporations; political figures; government officials; law enforcement agencies; political activists, and dissident factions of interest to the Chinese government. Three distinct clusters of attacks have varying degrees of connection to APT groups Soft Cell, Naikon and Group-3390 – all of which are known to operate in the interest of the Chinese government.

Cybereason observed a significant overlap in tactics, techniques and procedures (TTPs) across the three operations, supporting the assessment that each attacking group was tasked with parallel objectives in monitoring the communications of specific high-value targets under the direction of a centralised coordinating body aligned with Chinese state interests.

While these attacks primarily compromised telecoms companies in ASEAN countries (the Association of Southeast Asian Nations, an economic union comprising 10 member states), the same activity could be replicated in other regions around the world. While it is believed that the operations were intended solely for espionage purposes, the attackers’ objectives could easily shift from espionage to interference, potentially disrupting communications for millions of customers.

Cybereason’s report comes soon after the Biden administration’s public rebuke of China’s Ministry of State Security for the recent ‘Hafnium’ attacks which again exploited vulnerabilities in unpatched Microsoft Exchange servers and put thousands of organisations worldwide at risk. Exploitation of these same vulnerabilities were central to the success of the attacks detailed in this research.

Lior Div, Cybereason CEO and co-founder, said: “The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organisations that depend on secure communications for conducting business.

“These state-sponsored espionage operations not only negatively impact the telcos’ customers and business partners, they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region’s stability.

“This is why Cybereason maintains a global team of seasoned threat intelligence investigators whose focus is to expose the tactics, techniques and procedures of advanced adversaries so we can better protect organisations from these kinds of complex attacks now and into the future.”

A separate survey released today from Bluefort Security Research suggests that the global pandemic has had a severe impact on the ability of chief information security officers (CISOs) at UK manufacturing, engineering and construction firms to protect their firms from cyber criminals.

Questioning 100 CISOs from manufacturing, engineering and construction companies revealed that the combination of the Covid-19 pandemic, the resulting accelerated shift to digital, and the ongoing skills gap have conspired to create a perfect cyber-security storm, leaving them more vulnerable to attacks than ever before.

72 per cent said they consider their organisation to be at greater risk of a cyber-security attack due to the transition to home working, with a third (32 per cent) admitting that as a consequence of squeezed budgets and refocused priorities they’ve inevitably taken their eye off the ball over the last 12 months, losing track of the flow of movers, joiners, leavers and devices.

Around one in four (26 per cent) of respondents said that gaps in staff cyber-security awareness and knowledge have emerged, with a similar share expressing concerns regarding the cyber-security provision of supply-chain partners.

Somewhat shockingly, over three-quarters (77 per cent) of CISOs admitted their business had experienced a cyber-security incident in the last 12 months, despite the fact that the vast majority (82 per cent) said that their organisation had introduced additional cyber-security measures due to remote working. Almost half (42 per cent) said that mitigating cyber-security threats had been their key priority, while 51 per cent prioritised identity and access management over the same period.

Nearly all surveyed (93 per cent) believe that managing cyber risk will become more complicated once Covid-19 restrictions are eased, with hybrid working introducing new challenges. 33 per cent believe that managing a remote workforce is more difficult; 21 per cent said the threat surface is more disparate and diverse due to hybrid or remote working; 27 per cent said it will be less clear where the end-points data is, and 18 per cent simply stated there will be more threats to worry about.

The good news, such as it is, is that 90 per cent of respondents reported that cyber security has become a heightened priority for their company’s board of directors over the last 12 months, with CISOs able to invest in new technologies to tackle the emerging challenges. Automation, AI, machine learning, network detection and response, zero-trust architecture, and end-point detection and response are among options being considered.

Ian Jennings, co-founder of BlueFort Security, commented: “The fact that CISOs have had a particularly tough time these past 18 months isn’t a surprise. What shocked me was the severity of the impact. It’s a sorry tale of a lack of visibility – of their infrastructure, their devices and their people – which has led to poor intelligence and restricted control. The positive takeaway from this is the recognition that new technology will play a significant role when it comes to redressing the balance.”