Researchers have discovered three separate Chinese military affiliated advanced threat groups simultaneously targeting and compromising the same Southeast Asian telcos. The attack groups concerned are Soft Cell, Naikon, and a third group, possibly Emissary Panda (also known as APT27).
Following the March 2021 news of the Hafnium group using previously unknown Microsoft Exchange exploits, researchers have been examining other attacks against Exchange Server installations. At the end of last week, Kaspersky described a new threat actor tracked as GhostEmperor using a previously unknown Windows kernel-mode rootkit.
Today, Cybereason released details of a triple-pronged attack by Chinese military-affiliated groups against cellular network providers in southeast Asia. Disturbingly, Yonatan Striem-Amit, CTO and co-founder of Cybereason, told SecurityWeek, “We discovered and have evidence that Chinese advanced groups have been using the Hafnium zero-days since at least 2017.”
Cellular networks are a prime target for nation states because they provide an excellent steppingstone to many other types of attack and different targets. “At this point,” said Striem-Amit, “the attacks seem to be a stepping point for a major espionage campaign. We all carry a device in our pocket that knows where we are, where we have been, and who we are with.”
These devices, he continued, know who we talk to, when we talk to them, and where we go – whether that’s a secret meeting with a competitor, or a specialist medical practitioner, or to visit a particular type of club. “All this information can be used against us. It could be simple blackmail. But the controllers of our mobile provider can do much more,” continued Striem-Amit. “They could use the access they have to redirect our traffic to their own servers, and deliver an exploit onto our phones. A cellular network is a major asset in the hands of an espionage entity.”
The three groups targeting the telcos are Soft Cell, Naikon, and possibly Emissary Panda. Soft Cell has been tracked by Cybereason since it was discovered targeting telcos in Southeast Asia in 2019. The current activity started in 2018 and has continued through Q1 2021.
The Naikon APT’s involvement in the current activity was first observed in Q4 2020, and has continued through Q1 2021.
The third group is not definitively known. However, it uses a unique OWA backdoor deployed across multiple Exchange and IIS servers. Code similarities in this backdoor link it to a known backdoor previously attributed to Iron Tiger (a group also known as Emissary Panda and APT27). “The activity around this cluster,” say the Cybereason researchers, “was observed between 2017 and Q1 2021.”
Soft Cell gained access by exploiting the Exchange server vulnerabilities to install the China Chopper webshell. It used the PcShare backdoor for its foothold, employed Cobalt Strike and WMI for lateral movement, and used Modified Mimikatz for credential theft.
It is not known how Naikon gained initial access. It used the Nebulae backdoor for its foothold, PAExec and WMI for lateral movement, and used Modified MimiKatz, a custom keylogger and Procdump for credential theft.
The third group used the Exchange Server exploits for initial access to deploy a custom .Net backdoor on more than 20 servers between 2017 and 2021.
These attacks were all adaptive, persistent, and evasive, with the attackers dynamically responding to mitigation attempts after having evaded security efforts since at least 2017. They all occurred in the same time frame, attacked the same victims, and were even found on the same endpoints.
The surprising feature, apart from their stealthy duration, is that three groups, all associated with the Chinese government and often sharing TTPs, have attacked the same targets at the same time – and have even been seen on the same endpoints simultaneously. It is consequently unclear whether the groups were separately instructed to target telcos, or whether they were being guided from a single source within the Chinese military. Even the use of similar TTPs sheds no light, since this could be the result of simple sharing between the groups, or the transfer of people between government-controlled groups. The one thing that is clear is that telcos are a major target for China, and that it has had knowledge of and has used serious Exchange zero-day vulnerabilities for many years.
“The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organizations that depend on secure communications for conducting business. These state-sponsored espionage operations not only negatively impact the telcos’ customers and business partners, but they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region’s stability,” said Cybereason CEO and co-founder, Lior Div.
Raising the specter of ‘national security’ is interesting. Liv Dior is probably referring to the theft of national security information. But how far could this go – especially since Striem-Amit told SecurityWeek, “The level of control the hackers have over the telcos would allow them to permanently shut down the network in ways that would need the entire cell structure to literally be rebuilt. That level of control gives them political leverage over the victim countries – which is an incredible example of the interaction of geopolitics and day-to-day cyber that is the reality today.”
Would the total shut down of cellular communications give an adversary an advantage in any kinetic activity; for example and hypothetically, in an area such as Taiwan? “I believe so,” said Striem-Amit. “The level of panic and the level of miscommunication, the level of situational control that would be lost, would give the aggressor an edge in launching a physical campaign. I strongly believe that prior to that, they would have acquired more targets, that could cause even more damage. What would happen if telcos were down, power was down, and food and water supply is shut down? A country needs to manage its cyber defense as well as its response to kinetic activity. It would be a very realistic scenario for a modern-day attack.”
Cybereason’s prevailing assessment is that the operations were intended for espionage purposes only. It is true, however, that had the attackers decided to change their objectives from espionage to interference, they would have had the ability to disrupt communications for any – or all – of the affected telecoms’ customers.