Attack protection specialist Cybereason has fingered threat actors working on behalf of "Chinese state interests" as being behind attacks on telcos operating in Southeast Asia – with some having been prowling the penetrated networks for information on high-value targets since 2017.
Cybereason's DeadRinger report, published today, described the attacks as being carried out by "highly adaptive" groups which "worked diligently to obscure their activity and maintain persistence on the infected systems."
The telcos themselves were not the primary targets, however, but a source of surveillance on activists, politicians, business leaders, and more.
"Telcos are a prime target for nation-state espionage programs for various reasons, among them, the ability to collect information about the telco's subscribers," Assaf Dahan, senior director and head of threat research at Cybereason, told The Register. "Knowing the location of individuals, with whom they conversed or texted, can be key to facilitating cyber-espionage and to build profiles on a given list of targets.
"We identified hundreds of gigabytes of data exfiltrated from the environment during our investigation. The threat actors were after high value targets, including business leaders, government officials, politicians, political activists, law enforcement officials, human rights activists, and anyone the Chinese government feels is of interest."
Perhaps the most surprising – and concerning – finding in the report: the intruders were operating in some of the systems for years, in one case all the way back to 2017. As to how they could stay undetected for so long: "It's not an easy question to answer," Dahan told us. "However, I'll provide possible explanations.
"First, the groups involved in these intrusions are considered top-tier APT [Advanced Persistent Threat] groups, known for their sophistication, advanced techniques, and stealth. One of their main goals was to maintain access inside the telcos' networks and to remain under-the-radar for as long as possible and the APT groups invest heavily in efforts to cover their tracks.
"Second, each organisation has its own security posture, relying on different security measures and tools put in place to protect the network," Dahan continued. "Not all security tools are born equal, and unfortunately, traditional security tools can often miss sophisticated attacks. Third, even the best security solution needs to be operated by humans at the end of the day – and humans can make mistakes."
- Huawei to America: You're not taking cyber-security seriously until you let China vouch for us
- Here's 30 servers Russian intelligence uses to fling malware at the West, beams RiskIQ
- Communism never looked so good: China cracks down on pop-up ads
- Here's a list of the flaws Russia, China, Iran and pals exploit most often, say Five Eyes infosec agencies
The report found three groups involved the attacks, described as having "significant connections to known threat actors, all suspected to be operating on behalf of Chinese state interests": Soft Cell, "operating in the interest of China"; the Naikon APT group, "previously attributed to the Chinese People's Liberation Army's Chengdu Military Region Second Technical Reconnaissance Bureau"; and a smaller third group which may be linked to a threat actor dubbed Group-3390, also known as Emissary Panda.
"It is noteworthy to mention that the Cybereason Nocturnus Team also observed an interesting overlap among the three clusters," the report added. "In some instances, all three clusters of activity were observed in the same target environment, around the same timeframe, and even on the same endpoints.
"At this point, there is not enough information to determine with certainty the nature of this overlap – namely, whether these clusters represent the work of three different threat actors working independently, or whether these clusters represent the work of three different teams operating on behalf of a single threat actor."
"The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organisations that depend on secure communications for conducting business," said Cybereason chief and co-founder Lior Div of the report's findings.
"These state-sponsored espionage operations not only negatively impact the telcos' customers and business partners, they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region's stability."
While Cybereason's research focused on telcos in Southeast Asia, Dahan told us that the same APT groups are responsible for known attacks on multiple industries, including telecommunications, worldwide – and advised on how potential targets should be protecting themselves.
"First, I'd recommend they take a deeper look at the research report – looking to use our indicators of compromise and especially our behavioural indicators and swipe their organisation's network looking for similar signs of compromise," he told us.
"In addition, I would recommend them to map the threats relevant to their organisation (threat modelling), understand who might be targeting them and then proactively look for indicators and the tactics, techniques and procedures relevant to these threat groups.
"Last, I recommend making sure that they have the right security tools in place, that they have good incident response capabilities and other security procedures that can handle a variety of types of attacks."
The full report is available on the Cybereason website. ®