Security researchers at Cybereason have detailed three cyberespionage campaigns targeting major telecommunications firms across Southeast Asia, conducted by threat actors believed to be working for "Chinese state interests."
Dubbed "DeadRinger," the three malicious campaigns are centered in Southeast Asia and are aimed at collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers.
The first cluster of activity is believed to be operated by Soft Cell, a threat actor active since at least 2012 and known for its attacks against telcos in multiple regions including Southeast Asia. The activity around this cluster started in 2018 and continued through Q1 2021, the researchers said.
The second cluster, believed to be the work of the Naikon cyberespionage group, started attacking telecommunications companies in the last quarter of 2020, continuing up until now. According to Cybereason, Naikon may be associated with the Chinese People's Liberation Army's (PLA) military bureau.
The third cluster has been attributed to a Chinese threat actor tracked by various researchers as Group-3390 (APT27 or Emissary Panda) and appears to have been conducting cyberattacks since 2017. The attacks involved a unique OWA backdoor that attackers deployed across multiple Microsoft Exchange and IIS servers.
The researchers said that they noticed an interesting overlap among the three clusters – in some cases all three threat actors were observed in the same target environment, around the same timeframe, and on the same endpoints. However, there is not enough information to say definitely whether these groups are working independently, or operating under control of a single threat actor.
The techniques the threat actors were observed using included the exploitation of Microsoft Exchange Server vulnerabilities, the deployment of the China Chopper web shell, the use of Mimikatz to collect credentials, the creation of Cobalt Strike beacons, and backdoors to connect to a command and control server for data exfiltration.
“One thing that remains consistent and evident in all three clusters is that they all point to threat actors that are believed to be operating on behalf of Chinese state interests. It is also not surprising that the Telcos targeted in these intrusions are located in ASEAN countries, some of which have long term publicly known disputes with the PRC (People’s Republic of China),” the research ream said.