Threat actors often target high-profile organizations in critical sectors to spread their attack vector to a larger extent. From power plants to food processing units, cyberattacks on essential services have been increased in recent times. Security experts from Cybereason Nocturnus discovered three different malicious campaigns targeting multiple telecommunication companies located across Southeast Asia since 2017.
Tracked as DeadRinger, the three campaigns are focused on obtaining sensitive information by compromising critical digital assets like billing servers and Call Detail Record (CDR), including network components like Web Servers, Domain Controllers, and Microsoft Exchange servers. Cybereason linked the campaigns to three Chinese threat actor groups, namely Gallium (also known as Soft Cell), Naikon APT (also known as APT30 and Lotus Panda), and TG-3390 (also called as APT27 and Emissary Panda).
Attackers are leveraging advanced techniques to maintain persistence on the compromised devices and changing their hacking tactics to evade security detections. Successful compromise of the telecom networks enables attackers to perform various attacks, including credential theft, network reconnaissance, and data exfiltration.
The main activities of the campaigns include:
- Reconnaissance and information gathering about infected hosts
- Reconnaissance activity to collect information about the endpoint and network
- Searching for security tools and attempting to disable or kill their processes
- File and process manipulation
- Execution of arbitrary commands
- Privilege escalation
- C2 communications using raw sockets
- RC4 data encryption for communication between the C2 and the target
Three Groups One Target
Despite targeting as three individual groups, the campaigns share similarities in various aspects. Cybereason’s researchers suspect that the three groups are working under one cybercriminal group.
“In some instances, all three clusters of activity were observed in the same target environment, around the same timeframe, and even on the same endpoints. At this point, there is not enough information to determine with certainty the nature of this overlap — namely, whether these clusters represent the work of three different threat actors working independently, or whether these clusters represent the work of three different teams operating on behalf of a single threat actor. Regardless, we do offer several plausible hypotheses that might account for this observation,” Cybereason said.
Chinese Hackers Target Indian Power Sector
In the recent past, security research from Recorded Future found a China-linked threat actors group, dubbed RedEcho, targeting 12 Indian organizations, 10 of which were in the power sector. The researchers uncovered a subset of the servers that share familiar tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups. Read More Here…