DeadRinger: Chinese APTs strike major telecommunications companies

Researchers have disclosed three cyberespionage campaigns focused on compromising networks belonging to major telecommunications companies. 

On Tuesday, Cybereason Nocturnus published a new report on the cyberattackers, believed to be working for "Chinese state interests" and clustered under the name "DeadRinger."

According to the cybersecurity firm, the "previously unidentified" campaigns are centered in Southeast Asia -- and in a similar way to how attackers secured access to their victims through a centralized vendor in the cases of SolarWinds and Kaseya, this group is targeting telcos. 

Cybereason believes the attacks are the work of advanced persistent threat (APT) groups linked to Chinese state-sponsorship due to overlaps in tactics and techniques with other known Chinese APTs.

Three clusters of activity have been detected with the oldest examples appearing to date back to 2017. The first group, believed to be operated by or under the Soft Cell APT, began its attacks in 2018. 

The second cluster, said to be the handiwork of Naikon, surfaced and started striking telcos in the last quarter of 2020, continuing up until now. The researchers say that Naikon may be associated with the Chinese People's Liberation Army's (PLA) military bureau. 

Cluster three has been conducting cyberattacks since 2017 and has been attributed to APT27/Emissary Panda, identified through a unique backdoor used to compromise Microsoft Exchange servers up until Q1 2021. 

Techniques noted in the report included the exploitation of Microsoft Exchange Server vulnerabilities -- long before they were made public -- the deployment of the China Chopper web shell, the use of Mimikatz to harvest credentials, the creation of Cobalt Strike beacons, and backdoors to connect to a command-and-control (C2) server for data exfiltration.

Cybereason says that in each attack wave, the purpose of compromising telecommunications firms was to "facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the domain controllers, web servers and Microsoft Exchange servers."

In some cases, each group overlapped and were found in the same target environments and endpoints, at the same time. However, it is not possible to say definitively whether or not they were working independently or are all under the instruction of another, central group.

"Whether these clusters are in fact interconnected or operated independently from each other is not entirely clear at the time of writing this report," the researchers say. "We offered several hypotheses that can account for these overlaps, hoping that as time goes by more information will be made available to us and to other researchers that will help to shed light on this conundrum."

Previous and related coverage

• Enterprise data breach cost reached record high during COVID-19 pandemic
  
• WhatsApp chief says government officials, US allies targeted by Pegasus spyware
  
• Chinese APT LuminousMoth abuses Zoom brand to target gov't agencies
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0