Webinar: DeadRinger - Exposing Chinese Threat Actors Targeting Major Telcos

August 3, 2021 | 2 minute read

The Cybereason Nocturnus Research Team recently released a major threat intelligence research report titled DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos, which details the discovery of several previously unidentified attack campaigns targeting the telecommunications industry across Southeast Asia, where several clusters of attack activity were identified and assessed to be the work of several prominent APT groups who are known to conduct operations aligned with the interests of the Chinese government.

Date: August 12th, 2021
Time: 1:00 PM ET / 10:00 AM PT
REGISTER HERE

Join this webinar to hear analysis of the espionage operations, including:

    • Adaptive, Persistent and Evasive: The highly adaptive attackers worked diligently to obscure their activity and maintain persistence on the infected systems, dynamically responding to mitigation attempts after having evaded security efforts since at least 2017, an indication that the targets are of great value to the attackers.
    • Compromise of Third-Parties to Reach Specific Targets: Similar to the recent SolarWinds and Kaseya attacks, the threat actors first compromised third-party service providers - but in this case instead of using them to deliver malware through a supply chain attack, the intent was to leverage them to conduct surveillance of their customers' confidential communications.
    • Microsoft Exchange Vulnerabilities Exploited: Similar to the HAFNIUM attacks, the threat actors exploited recently disclosed vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks. They then proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems which contain highly sensitive information like Call Detail Record (CDR) data, allowing them access to the sensitive communications of anyone using the affected telecoms’ services. 
    • High Value Espionage Targets: Based on previous findings from the  Operation Soft Cell Report Cybereason published in 2019, as well as other published analysis of operations conducted by these threat actors, it is assessed that the telecoms were compromised in order to facilitate espionage against select targets. These targets are likely to include corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government.
    • Operating in the Interest of China: Three distinct clusters of attacks have varying degrees of connection to APT groups Soft Cell, Naikon and Group-3390 -- all known to operate in the interest of the Chinese government. Overlaps in attacker TTPs across the clusters are evidence of a likely connection between the threat actors, supporting the assessment that each group was tasked with parallel objectives in monitoring the communications of specific high value targets under the direction of a centralized coordinating body aligned with Chinese state interests.
    • Potential for Broader Impact: These attacks compromised telcos primarily in ASEAN countries, but the attacks could be replicated against telcos in other regions. While the prevailing assessment is that the operations were intended for espionage purposes only, the fact remains that had the attackers decided to change their objectives from espionage to interference, they would have had the ability to disrupt communications for any of the affected telecoms’ customers.
Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team

Speakers

pasted image 0 (9)-1

Assaf Dahan

Senior Director, Head of Threat Research at Cybereason

Assaf has over 15 years in the InfoSec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where he developed extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis and reverse engineering.

Capture (2)-1

Mor Levi

Vice President Security Practices at Cybereason

Mor Levi has over 8 years of experience in cyber investigations, incident response, and SIEM/SOC management. She began her career as a team leader in the Israeli Defense Force security operation center. Later, she led an incident response and forensics team at one of the big four accounting firms providing services to global organizations.