China-Linked Cyber-Espionage Teams Target Asian Telecoms

At least three cyber-espionage groups have compromised telecommunications operators in multiple countries in the Asia-Pacific region, placing backdoors inside the communications providers' networks, stealing credentials, and using custom malware to gain control and compromise other systems, according to analyses published by two cybersecurity firms in the past week.

Tools from a trio of China-linked groups — Fireant, Neeedleminer, and Firefly — were used to compromise telecommunications companies in at least two Asian nations, according to an analysis published by technology giant Broadcom's Symantec cybersecurity division. The groups — also known as Mustang Panda, Nomad Panda, and Naikon, respectively — previously have been associated with widespread attacks against a variety of countries in the Asia-Pacific region.

Attackers see telecommunications companies as a strong launchpad from which to compromise other systems, eavesdrop on communications, or cybercrime, says Dick O'Brien, principal threat intelligence analyst for Symantec's threat hunter team.

"There's the potential for eavesdropping and surveillance but also, because telecoms is critical infrastructure, you could create significant disruption in your target country," O'Brien says. "We think that there is a distinct possibility that the motive for these attacks was similar to what the US government has been repeatedly warning about."

In April, senior US officials warned that China-linked attackers had begun compromising critical infrastructure as a way to pre-position their offensive cyber operations for future conflicts. Japan and the Philippines created a trilateral alliance for sharing information on cyber threats, especially those from China. The alliance is similar to another trilateral information-sharing agreement between Japan and South Korea.

The attacks come as other Asian nations continue to struggle with increasing cyberattacks. On June 24, Indonesia's government acknowledged that cybercriminals had compromised its National Data Center and demanded an $8 million ransom. Rather than pay, the government is trying to recover, but the attack has disrupted services for more than 200 agencies.

Taiwan is currently dealing with a spate of attacks by a Chinese state-sponsored group, dubbed RedJuliett, which has attacked 24 different government agencies, educational institutions, and technology firms, threat-intelligence firm Recorded Future stated in an analysis published on June 24.

Cyberattackers Reach Out and Call

The focus on telecommunications companies is unsurprising: The infrastructure operators are the hub for most traffic on the Internet, making compromising their infrastructure extremely valuable, says Sergey Shykevich, threat intelligence group manager at cybersecurity firm Check Point Software.

"The ultimate jackpot for an attacker with access to telecom networks is the CRM database of telco clients, allowing real-time access to SMS messages, locations, and other sensitive information," he says. "Disruption of telecommunications companies can definitely be devastating for countries and users, as it happened just several month ago in Ukraine. However, in most instances, I believe the primary objective of targeting telecommunication companies is espionage and the valuable data they possess."

In October 2023, Check Point Research released details of an Iran-linked espionage campaign that had primarily targeted government agencies and telecommunications providers.

Another example: Pakistan has become a focus of communications-based attacks, as the quickly digitalization of the country and its geopolitical environment has made it the leading target of reflection-based distributed denial-of-service (DDoS) attacks by a significant margin last year, says Donny Chong, director at Nexusguard, a Singapore-based firm focused on defenses against denial-of-service attacks.

"The risk surrounding telecoms is that if you disrupt telecoms infrastructure, you also disrupt a lot of other critical infrastructure," he says. "There are other sectors, too, which we frequently see targeted by application and multivector attacks — the tech, finance, banking, and insurance sectors in particular have had a hard time with these attacks."

Multiple Threat Groups

The attack on the unnamed Asian telecommunications firm included three custom attack tools, executing code in memory to avoid detection, and using legitimate software to load in malicious code — a technique known as sideloading. (Symantec would not name the targeted firms nor the two countries where they were investigating attacks.)

The threat group, or groups, are relatively sophisticated, says Symantec's O'Brien.

"The fact that most of the payloads run in memory means that they can be difficult to detect," he says. "The technique of sideloading using legitimate executables is favored by APT actors, presumably because the legitimate files they leverage are less likely to raise red flags."

The analysis suggested that, while the threat groups could be collaborating with one another — say, different arms of the Chinese government working together — other connections are possible, such as different groups using the same tools or a single group using all three tools.

The connections between actors are often complicated. In 2021, a campaign of espionage attacks — dubbed "Stayin' Alive" — targeted the telecommunications industry and governments of Vietnam, Uzbekistan, and Kazakhstan, using a simple downloader known as CurKeep. The attackers used the same infrastructure as a group known as ToddyCat by cybersecurity firm Kaspersky, which considers the threat actor fairly sophisticated.