Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



US Details Chinese Attacks Against Telecoms Providers

Several US government agencies have issued a joint cybersecurity advisory to provide information on the techniques and tactics that China-linked threat actors have been using to compromise telecom companies and network services providers.

Several US government agencies have issued a joint cybersecurity advisory to provide information on the techniques and tactics that China-linked threat actors have been using to compromise telecom companies and network services providers.

The Chinese nation-state adversaries continue to rely on publicly available tools and known vulnerabilities to compromise networks and establish an infrastructure. They target entities around the world, both in public and private sectors, the US agencies say.

Chinese APTs readily exploit publicly known vulnerabilities to compromise network devices such as SOHO routers and NAS devices, reads the joint advisory authored by the NSA, CISA and the FBI.

Since 2020, threat actors sponsored by the People’s Republic of China (PRC) have been quick to exploit newly discovered security issues in network devices. They were also observed exploiting new flaws to target VPN services and public-facing applications to access victim accounts.

“PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers,” the joint advisory reads.

China-linked APTs use these servers to register new email accounts, host command and control (C&C) domains, and communicate with victim networks, employing the hop points as an obfuscation technique, to hide their real location.

The US agencies also note that these threat actors are constantly adapting their tactics to bypass defenses, including by monitoring the actions of network defenders and changing ongoing attacks to remain undetected. They were also observed modifying infrastructure and tools after their campaigns were publicly detailed.

Advertisement. Scroll to continue reading.

“PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network,” NSA, CISA, and the FBI say.

Since 2020, the three US agencies have observed the Chinese threat actors mainly abusing vulnerabilities in devices from Cisco (CVE-2018-0171, CVE-2019-15271, and CVE-2019-1652), Citrix (CVE-2019-19781), DrayTek (CVE-2020-8515), D-Link (CVE-2019-16920), Fortinet (CVE-2018-13382), MikroTik (CVE-2018-14847), Netgear (CVE-2017-6862), Pulse (CVE-2019-11510 and CVE-2021-22893), QNAP (CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, and CVE-2019-7195), and Zyxel (CVE-2020-29583).

The threat actors also use open-source tools to scan for vulnerabilities and perform reconnaissance, including RouterSploit (exploitation framework for embedded devices) and RouterScan (a framework for vulnerability scanning), which allow them to identify makes, models, and known bugs that can be exploited.

“Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting,” the joint advisory reads.

The threat actors were observed obtaining the credentials necessary to access the underlying SQL database of a critical RADIUS server and then dumping the stored credentials, including cleartext and hashed passwords.

Using these credentials, the attackers then connected to Cisco and Juniper routers via SSH, executed commands, and then exfiltrated current router configuration.

“The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network,” the US agencies say.

The threat actors then “returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure,” the agencies say.

NSA, CISA, and the FBI advise organizations and federal agencies to ensure their systems are kept updated with the latest patches, implement network segmentation, disable unused ports and services, implement strict password policies and enforce multi-factor authentication, keep data backed up, enable robust logging, isolate internet-facing systems from the internal network, and to immediately disconnect compromised devices from the environment.

Related: Chinese Hackers Using Publicly Available Resources in Attacks on U.S. Government

Related: US Warns Organizations of ‘Karakurt’ Cyber Extortion Group

Related: US: Hackers Continue Aiding North Korea Generate Funds via Cryptocurrency Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...