In the summer of 2019, our researchers discovered a massive malicious campaign against telecommunications providers that we dubbed Operation Soft Cell. This week, our researchers revealed details of more pervasive attacks against telecommunications providers. The DeadRinger report reveals a cyber espionage campaign out of China targeting providers in Southeast Asia.
What We Know
One of the things that stands out about DeadRinger is that the attacks are similar to recent attacks like SolarWinds and Kaseya in some respects. Namely, rather than trying to hack or compromise specific targets, the DeadRinger attackers infiltrated third-party service providers they know their intended targets use, but in this instance the objective was to conduct covert surveillance instead of distributing malware.
The Cybereason Nocturnus team identified three separate threat actors operating in parallel. The three groups—Soft Cell, Naikon, and Group-3390—have one thing in common: they are all APT groups known to work on behalf of Chinese interests. The groups employed similar techniques, used some of the same tools and tactics, and even went after the same targets, leading our researchers to assess that they appear to be coordinating their efforts. We believe that a central body aligned with Chinese interests assigned the groups parallel objectives to capture and monitor communications of high-value targets.
Our researchers found the attacks to be very adaptive, persistent, and evasive. The threat actors worked to carefully hide their activity and strived to maintain persistence on compromised systems. They circumvented traditional security solutions and were even observed responding in real-time to evade mitigation efforts. The level of skill and sophistication suggests that the targets are of great value to whoever is directing these cyber espionage campaigns.
DeadRinger and Cyber Espionage
The Biden administration recently coordinated with global allies to condemn China for its role in the HAFNIUM attacks targeting vulnerabilities in Microsoft Exchange Server earlier this year. While the activity observed in the DeadRinger report goes back long before that—as early as 2017—this research illustrates the challenges we face with cybersecurity, and how far we have to go when it comes to establishing rules of engagement for cyber espionage.
The activity observed by our researchers as part of DeadRinger was focused on cyber espionage and capturing call, location and messaging data for specific high-value targets. However, the attackers had the access and control of the compromised networks to enable them to simply shut down the telecommunications providers as well if they chose to do so.
In the wake of President Biden cautioning against the potential for a cyber attack to result in an escalation of hostilities that could result in physical warfare, it is imperative that the nations of the world define clear rules of engagement for state-ignored or sponsored cyber operations. It is also important for public and private sector organizations to work together to improve cybersecurity in general so we can detect and respond to threats more effectively.