Cybereason exposes Chinese threat actors that compromise telecommunication providers

The findings were outlined in a report that highlighted attack trends to leverage third-party service providers

James Spiro 12:0403.08.21
Israeli cybersecurity company Cybereason has announced the discovery of several previously unidentified cyberattack campaigns that have infiltrated telecommunications providers across Southeast Asia. The campaigns are similar to recent SolarWinds and Kayesya attacks seen around the world and were the motivation for a report, DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos, following the Biden Administration's rebuke of China’s Ministry of State Security.


“The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organizations that depend on secure communications for conducting business,” said Cybereason CEO and co-founder Lior Div. “These state-sponsored espionage operations not only negatively impact the telcos’ customers and business partners, but they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region’s stability.”


Lior Div, Cybereason co-founder and CEO. Photo: Cybereason Lior Div, Cybereason co-founder and CEO. Photo: Cybereason


The report highlighted how clusters of attack activity were the work of several prominent Advanced Persistent Threat (APT) groups that have evaded detection since at least 2017. According to Cybereason, there was a significant overlap in tactics, techniques, and procedures (TTPs) across the three operations that strongly aligned with Chinese state interests.


The report outlined how adaptive attackers would work to obscure their activity and maintain persistence on infected systems. Similar to other attacks, threat actors exploited the recently disclosed vulnerabilities in Microsoft Exchange Servers to gain access to targeted networks. Attacks then compromised critical network assets such as Domain Controllers (DC) and billing systems that contained sensitive communication information.


It is understood that telecoms were compromised in order to facilitate espionage against specific targets including corporations, political figures, government officials, law enforcement agencies, political activists, and dissident factions of interest to the Chinese government.


“Since the disclosure of the infamous Hafnium Microsoft Exchange servers vulnerabilities in 2021, Cybereason’s analysts have monitored different APT groups that exploited these vulnerabilities,” added Assaf Dahan, Head of Threat Research and one of the report’s authors. “The attacks were discovered in 2021, however, forensic evidence shows that the attackers compromised the networks since 2017 - and remained undetected for at least three years. The different APT groups involved in the attacks used various advanced techniques to evade detection and remain under the radar.”

While the attacks compromised telecommunication companies in ASEAN countries, the attacks could in theory by replicated against companies in other regions, notably Europe or the U.S. Recently, there has been a string of cyberattacks on U.S soil that have been connected to the Russian government or groups acting on behalf of Russia’s interests. Another Israeli firm Deep Instinct recently identified five major ways that cyberattacks and ransomware tactics have been deployed this year, noting an 800% increase compared to the same period only three years ago.


Cybereason is a privately-held Israeli cybersecurity company with customers in 50 countries that helps provide operation-centric attack protection, unifying security from the endpoint, to the enterprise, to “everywhere the battle moves.”