QUICKLOOK: Chinese Cyber Espionage: Persistent Threats to Global Telecom Providers

Unveiling the Sophisticated Tactics and Tools of APT Groups Targeting Asia and the Middle East

BLUF (Bottom Line Up Front)

Multiple Chinese cyber espionage groups have been targeting telecom providers globally since at least 2021, with a focus on Asia and the Middle East. These groups use custom malware and backdoors for intelligence gathering and potential infrastructure disruption, demonstrating China's persistent efforts in this sector.

Key Details

Threat Actors:

• Gallium (also known as Soft Cell)

• APT41

• Mustang Panda (Earth Preta, Fireant)

• RedFoxtrot (Needleminer, Nomad Panda) What is a MUCD?

• Naikon (Firefly)

Malware and Tools:

• COOLCLIENT, QUICKHEAL, RainyDay backdoors

• PingPull backdoor

• Custom Mimikatz variant "mim221"

• New dropper mechanism observed in recent attacks

Attack Methods:

• Initial access via compromised Microsoft Exchange servers

• Webshell deployment for command execution

• Use of C:\MS_DATA as the main working directory

• Reconnaissance using dsquery, query, and Local Group (LG) tools

• Lateral movement via PsExec and net use commands

• Credential theft through custom Mimikatz variants and registry hive dumping

Targets:

• Telecom providers in Southeast Asia, Europe, Africa, and the Middle East

• Recent focus on providers in a single Asian country

• Some attacks on telecom sector service companies and universities

Recent Campaign:

• "Operation Tainted Love" observed in Q1 2023

• Evolution of Operation Soft Cell tooling

Implications/Trends:

• Ongoing refinement of evasion techniques:

  • In-memory mapping of malicious images

  • Selective termination of Event Log threads

  • Staging credential theft within the LSASS processEvidence of tool sharing between Chinese groups

  • Aligns with China's strategic interest in telecom intelligence

  • Potential for future critical infrastructure disruption

  • Sustained focus on Asian and Middle Eastern telecom sectors

  Infection Vector and Initial TTPs

  As initial attack indicators, we observed command execution through webshells on compromised Microsoft Exchange server deployments. The threat actors used C:\MS_DATA as their main working directory for storing malware and staging data for exfiltration. Noting that the Microsoft TroubleShootingScript toolset (TSSv2) uses C:\MS_DATA for storing log files, we suspect that its use as a working directory is an attempt to make malicious file system activities look legitimate.

  After establishing an initial foothold, the threat actor conducts reconnaissance like querying user and network information using a variety of tools. For example, the attackers used dsquery and query to obtain information about Active Directory objects, including user information, and Remote Desktop user sessions. They also used the Local Group (LG) tool to enumerate all local groups and members in a domain.

  • "cmd" /c cd /d C:\MS_DATA\&dsquery * -limit 0 -filter

  • "cmd" /c cd /d C:\MS_DATA\&dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr objectSID sAMAccountName displayName mail memberOf >da.back&cd

  • "cmd" /c cd /d c:\windows\system32\inetsrv\&query user&cd

  • "cmd" /c cd /d C:\MS_DATA\&lg.exe \\[IP ADDRESS] -lu >169.txt&cd

  The attackers then check connectivity with both the Internet and specific local machines of interest.

  • "cmd" /c cd /d c:\windows\system32\inetsrv\&ping 8.8.8.8 -n 1&cd

  • "cmd" /c cd /d c:\windows\system32\inetsrv\&ping -n 1 [IP ADDRESS/HOSTNAME]&cd

  They also retrieve networking information, like network adapters, specific machines, and network services like Remote Desktop Protocol (RDP).

  • "cmd" /c cd /d C:\MS_DATA\&ipconfig /all&cd

  • "cmd" /c cd /d c:\windows\system32\inetsrv\&net use&cd

  • "cmd" /c cd /d c:\windows\system32\inetsrv\&netstat.exe -nob

  • "cmd" /c cd /d c:\windows\system32\inetsrv\&netstat -aon |find "3389"&cd

  • "cmd" /c cd /d C:\MS_DATA\&netstat -aon |find "[IP ADDRESS]"&cd

  The threat actor made use of the native makecab tool to compress information gathered for exfiltration.

  • "cmd" /c cd /d C:\MS_DATA\&makecab da.back d.zip >1.txt&cd

  For lateral movement, the attackers made use of the PsExec tool and the net use command for accessing shared resources on remote machines.

  • "cmd" /c cd /d C:\MS_DATA\&net use \\[IP ADDRESS] [PASSWORD] /u:[DOMAIN]\[USERNAME]

  To steal credentials, the attackers employ custom-modified versions of Mimikatz, including an executable named pc.exe.

  Summary

  Recent investigations have uncovered a series of sophisticated cyber espionage campaigns targeting telecommunication providers across Asia, the Middle East, and beyond. These attacks, attributed to multiple Chinese state-sponsored groups, have been ongoing since at least 2021, with some activities potentially dating back to 2020. The primary actors involved include Gallium (also known as Soft Cell), APT41, Mustang Panda, RedFoxtrot, and Naikon, each bringing their own set of advanced tools and techniques to the table.

  The attackers have deployed a range of custom malware and backdoors in their operations. Tools such as COOLCLIENT, QUICKHEAL, RainyDay, and PingPull have been identified, along with a custom Mimikatz variant dubbed "mim221". These sophisticated tools enable the threat actors to maintain persistence, conduct reconnaissance, and exfiltrate sensitive data from compromised networks. In early 2023, security researchers observed a new campaign called "Operation Tainted Love," which represents an evolution of the toolsets associated with the earlier Operation Soft Cell, demonstrating the continuous development and refinement of the attackers' capabilities.

  While telecommunication providers across Southeast Asia, Europe, Africa, and the Middle East have been targeted, recent campaigns have shown a particular focus on providers within a single Asian country. This concentration of effort suggests a strategic interest in gathering intelligence from specific regions. Additionally, some attacks have branched out to target services companies that support the telecom sector and even universities, indicating a broader intelligence-gathering mission.

  The sophistication of these attacks is evident in the evasion techniques employed. Attackers use methods such as in-memory mapping of malicious images to avoid detection by endpoint security solutions, selective termination of Event Log threads to inhibit logging without raising suspicion, and staging credential theft capabilities directly within the LSASS process. These advanced techniques, coupled with evidence of tool sharing and possible collaboration between different Chinese groups, point to a well-resourced and coordinated effort.

  The persistent nature of these campaigns aligns with China's strategic interests in gathering intelligence on telecommunications infrastructure in various regions. Beyond immediate intelligence value, these efforts may also be laying the groundwork for potential future disruption of critical infrastructure. The focus on telecom providers gives the attackers potential access to vast amounts of sensitive communications and data, making these targets particularly valuable from an espionage perspective.