Chinese Threat Actors Hit Big Telecoms

Security researchers published information on three different, yet likely linked cyber campaigns focused on espionage. All attacks have been focused on infiltrating the networks of big telecommunications enterprises.

Researchers with security firm Cybereason published a lengthy report on the attacks, collectively calling the threat actors behind them DeadRinger. Researchers believe DeadRinger comprises a ring of APTs located in China and executing attacks "on behalf of Chinese state interests".

The belief that the threat actors are linked to Chinese state-sponsored operations stems from the fact that there are shared tactics and methods observed with other Chinese threat actors.

The report outlines three clusters of activity. The threat actors associated with these clusters are Soft Cell, Naikon and Emissary Panda. Collectively, the three clusters of activity stretch from 2018 to the first half of 2021.

Some of the techniques that have been outlined in the report include the abuse of zero-day vulnerabilities in MS Exchange Server, use of the China Chopper web shell and the use of beacons created using the legitimate Cobalt Strike vulnerability testing software.

The ultimate goal in all of the attacks was cyberespionage and the harvesting of privileged information and corporate secrets. Curiously, there were recorded instances where all three APTs were found in the same compromised network, at the same time.

This still isn't hard evidence that the three DeadRinger threat actors were all working in a coordinated push and for the same central entity orchestrating them.

Researchers hope that further analysis of the malicious activity in the compromised telecom networks and environments will help shed more light on the exact circumstances of the attacks.

August 3, 2021