DeadRinger: Chinese APTs Hit Major Telcos

Researchers revealed three cyber espionage campaigns aimed at compromising networks belonging to major telecommunications companies.

On Tuesday, Cybereason Nocturnus published a new report on cyber attackers, suspected of working for “Chinese state interests” and grouped under the name “DeadRinger”.

According to the cybersecurity firm, the “previously unidentified” campaigns are centered on Southeast Asia – and in the same way attackers secured access to their victims through a centralized provider in the cases of SolarWinds and Kaseya, this group targets telecom operators.

Cybereason believes the attacks are the work of Advanced Persistent Threat (APT) groups tied to Chinese state sponsorship due to overlapping tactics and techniques with other known Chinese APTs.

Three clusters of activity have been detected, with the earliest examples appearing to date back to 2017. The first cluster, believed to be operated by or under APT Soft Cell, began attacks in 2018.

The second cluster, believed to be the work of Naikon, surfaced and started hitting telecom operators in the last quarter of 2020, continuing until now. Researchers say Naikon may be associated with the military bureau of the Chinese People’s Liberation Army (PLA).

Cluster three has been carrying out cyberattacks since 2017 and has been attributed to APT27/Emissary Panda, identified by a unique backdoor used to compromise Microsoft Exchange servers through Q1 2021.

Techniques noted in the report included exploiting vulnerabilities in Microsoft Exchange Server – long before they were made public – deploying the China Chopper web shell, using Mimikatz to harvest credentials, creating Cobalt Strike beacons and backdoors to connect to a command and control (C2) server for data exfiltration.

Cybereason says that in each attack wave, the goal of compromising telecommunications companies was to “facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as billing servers that contain call detail record (CDR), as well as key network components such as domain controllers, web servers, and Microsoft Exchange servers.”

In some cases, each group overlapped and ended up in the same target environments and endpoints, at the same time. However, it is not possible to say with certainty whether or not they worked independently or whether they were all under the direction of another core group.

“Whether these clusters are in fact interconnected or operated independently of each other is not entirely clear at the time of writing this report,” the researchers say. “We have proposed several hypotheses that may explain these overlaps, hoping that over time more information will become available to us and other researchers that will help shed light on this conundrum.”

Previous and related coverage

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0