Chinese Cyber Espionage Targets Telecom Operators in Asia Since 2021

Researchers at Symantec highlighted in a blog post a campaign that has using tools associated with Chinese espionage groups to breach telecom operators in a single Asian country since at least 2021, with evidence to suggest that some of this activity may even date as far back as 2020. While the country targeted hasn’t been disclosed, Symantec notes that all of the organizations targeted to date have been telecom operations, with the addition of a services company that serves the telecoms sector and a university in another Asian country. Several tools have been deployed in these attacks including custom malware such as COOLCLIENT, QuickHeal, and RainyDay which are designed to steal sensitive data and establish communications with a command and control for further persistence.

"The choice of tools used in this campaign overlaps with other missions conducted by Chinese espionage groups like Mustang Panda (aka Earth Preta and Fireant), RedFoxtrot (aka Neeedleminer and Nomad Panda), and Naikon (aka Firefly) in recent years. The fact that the tooling has connections to three different adversarial collectives has raised several possibilities: The attacks are being conducted independently of each other, a single threat actor is using tools acquired from other groups, or diverse actors are collaborating on a single campaign” (The Hacker News, 2024).

Security Officer Comments:
Besides deploying the custom backdoors mentioned above, the actors have been observed installing keylogging malware, scanning vulnerable ports, enabling RDP, and performing credential theft through the dumping of registry hives. While the ultimate objective of the ongoing campaign remains unclear, Symantec notes that the actors are likely gathering intelligence on the telecoms sector in the unnamed country and attempting to build a disruptive capability against critical infrastructure in that country.

Suggested Corrections:
Symantec did not detail the methods used by actors to gain initial access in their latest campaign. However, historically, Chinese hackers have breached telecom providers by exploiting vulnerabilities in internet-facing Microsoft Exchange servers. To mitigate such risks, organizations should isolate vulnerable systems from internal resources and implement robust patch management policies. These policies should ensure vulnerabilities are promptly patched as soon as updates are available or can be applied.