Chinese Hackers Attacking Telcos Using Espionage Tools to Steal Credentials

A long-running espionage campaign by attackers using tools associated with Chinese hacking groups has breached multiple telecom operators in an Asian country since at least 2021, with evidence suggesting activity may date back to 2020.

The attackers installed backdoors on targeted companies’ networks and attempted to steal credentials.

EHA

According to Symantec analysis Nearly all of the organizations targeted were telecoms, a services company in the telecoms sector, and a university in another Asian nation.

Attackers Deployed Custom Malware

Coolclient is a backdoor used by the Fireant group (Mustang Panda) to log keystrokes, manipulate files, and communicate with a command and control server.

Quickheal, a backdoor long associated with the Neeedleminer group (aka RedFoxtrot).

The variant used was nearly identical to one documented in 2021, communicating with a hardcoded C&C server over a custom protocol disguised as SSL traffic.

Rainy Day is a backdoor employed by the Firefly group (aka Naikon). Most variants were executed using a loader that decrypts a payload from an external file.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

In addition to the backdoors, the attackers used keylogging malware, port scanning tools, credential dumping, and the Responder LLMNR/NBT-NS/mDNS poisoning tool, enabling RDP on compromised systems.  

The tools have strong links to multiple Chinese espionage groups. Coolclient, Quickheal, and Rainyday are each exclusively used by the Fireant, Needleminer, and Firefly groups, respectively, reads the report.

Multiple security firms consider all three groups to be operating from China.

  • Coolclient, a backdoor used by the Fireant group (aka Mustang Panda) to log keystrokes, manipulate files, and communicate with a command and control server.
  • Quickheal, a backdoor long associated with the Neeedleminer group (aka RedFoxtrot). The variant used was nearly identical to one documented in 2021, communicating with a hardcoded C&C server over a custom protocol disguised as SSL traffic.
  • Rainyday, a backdoor employed by the Firefly group (aka Naikon). Most variants were executed using a loader that decrypts a payload from an external file.

Whether the campaign involves multiple actors operating independently, a single actor using shared tools and personnel, or a collaborative effort remains unclear.

In addition to the custom backdoors, the attackers employed various other tactics, techniques, and procedures (TTPs), such as keylogging malware, port scanning tools, credential theft through the dumping of registry hives, and the use of publicly available tools like Responder.

The ultimate motive is also uncertain but may involve intelligence gathering on the telecoms sector, eavesdropping, or establishing a disruptive capability against the country’s critical infrastructure.

The incident highlights the persistent threat of Chinese state-sponsored hacking against sensitive industries like telecommunications.

Organizations are advised to bolster monitoring for signs of compromise and ensure robust defenses are in place to protect against stealthy espionage campaigns by advanced adversaries

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free