Cybersecurity firm blames China for attacks on Asian telcos

Cybereason says 'multiple threat actors' from China have infiltrated carriers in Southeast Asia. Some attacks, say the cybersecurity firm, go back to 2017.

Ken Wieland, contributing editor

August 3, 2021

4 Min Read
Cybersecurity firm blames China for attacks on Asian telcos

Cybereason, a cybersecurity firm, has pinned the blame on China-backed threat actors for a series of "pervasive attacks" on some of the largest telcos in Southeast Asia. Because of their activities, says Cybereason, China has been able conduct cyber espionage against "designated high-profile targets."

The cybersecurity firm further warns that the attackers have access to (and control) of various networks. If they wanted, reckoned Cybereason, China could shut down telecom services to specific people or companies. Some of the attacks have apparently been going on since at least 2017.

"The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organizations that depend on secure communications for conducting business," said Cybereason CEO and Co-Founder Lior Div.

Figure 1: Spider to the fly: China could shut down telecom services to specific people or companies, say Cybereason. (Source: Gerd Altmann from Pixabay) Spider to the fly: China could shut down telecom services to specific people or companies, say Cybereason.
(Source: Gerd Altmann from Pixabay)

"These state-sponsored espionage operations not only negatively impact the telcos' customers and business partners, they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region's stability."

Named and shamed

The alarming findings were laid out in a new Cybereason report published today, entitled DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos. Following the disclosure of Hafnium attacks targeting Microsoft Exchange vulnerabilities, the "Cybereason Nocturnus" team "proactively hunted" for various threat actors trying to leverage similar techniques.

The team turned its attention to three clusters of intrusions they detected targeting the telecoms industry across Southeast Asia, each of which “showed significant connections” to prominent Advanced Persistent Threat groups aligned with the interests of the Chinese government.

Cybereason determined that "cluster A" was operated by Soft Cell, an activity group in operation since 2012, previously attacking Telcos in multiple regions including Southeast Asia, and which was first discovered by Cybereason in 2019.

"We assess with a high level of confidence that the Soft Cell activity group is operating in the interest of China," said the report. "The activity around this cluster started in 2018 and continued through Q1 2021."

"Cluster B" was assessed by Cybereason to be operated by the Naikon APT threat actor, "a highly active cyber espionage group in operation since 2010 which mainly targets ASEAN countries."

Cyber espionage

The Naikon APT group was previously attributed to the Chinese People's Liberation Army's (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). The activity around this cluster was first observed in Q4 2020, observed the Cybereason Nocturnus team, and continued through Q1 2021.

"Cluster C," dubbed a "mini-cluster," was found to be characterized by a unique OWA [Outlook Web Application] backdoor that was deployed across multiple Microsoft Exchange and IIS servers.

Want to know more about security? Check out our dedicated security channel here on
Light Reading.

Cybereason's analysis of the backdoor showed "significant code similarities" with a previously documented backdoor used in the operation dubbed Iron Tiger, which was attributed to a Chinese threat actor tracked by various researchers as Group-3390. Activity around this cluster was observed between 2017 and Q1 2021.

Based on its analysis of cluster activity, the report's authors starkly conclude that the goal of the attackers behind these intrusions was to "gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets, such as the billing servers that contain call detail record data, as well as key network components, such as the domain controllers, web servers and Microsoft Exchange servers."

Related posts:

— Ken Wieland, contributing editor, special to Light Reading

Read more about:


About the Author(s)

Ken Wieland

contributing editor

Ken Wieland has been a telecoms journalist and editor for more than 15 years. That includes an eight-year stint as editor of Telecommunications magazine (international edition), three years as editor of Asian Communications, and nearly two years at Informa Telecoms & Media, specialising in mobile broadband. As a freelance telecoms writer Ken has written various industry reports for The Economist Group.

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like