A recent analysis of previously unidentified cyberattacks now add weight to the USA’s public rebuke of China.

On the heels of the Biden administration’s public rebuke of China’s Ministry of State Security for the recent HAFNIUM attacks exploiting unpatched Microsoft Exchange Server vulnerabilities, a recent cybersecurity report has revealed further Chinese involvement in several previously unidentified cyberattacks infiltrating major telecommunications providers across South-east Asia (SEA).

Cybereason’s report has mentioned multiple clusters of attack activity that had evaded detection since at least 2017 and are now assessed to be the work of several prominent Advanced Persistent Threat (APT) groups aligned with the interests of the Chinese government.

The report notes a significant overlap in tactics, techniques and procedures across the three operations and has assessed that the attackers were likely tasked with parallel objectives under the direction of a centralized coordinating body aligned with Chinese state interests.

Key findings

Similar to the recent SolarWinds and Kaseya attacks, the hackers first compromise third-party service providers. However, in the case of the SEA attacks, instead of using them to deliver malware through a supply chain attack, the intent was to leverage them to conduct surveillance of their customers’ confidential communications. Also:

  • After having evaded security efforts since at least 2017, the highly adaptive attackers had worked diligently to obscure their activity and maintain persistence on the infected systems, dynamically responding to mitigation attempts, an indication that the targets are of great value to the attackers.
  • Similar to the HAFNIUM attacks, the threat actors exploited recently disclosed vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks. They then proceeded to compromise critical network assets such as Domain Controllers and billing systems that contain highly sensitive information like Call Detail Record data, granting them access to the sensitive communications of anyone using the affected telecoms’ services.
  • Based on previous findings by Cybereason in 2019, as well as other published analyses of operations conducted by these threat actors, it is assessed that the telecom firms were compromised in order to facilitate espionage against select targets such as corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government.
  • Three distinct clusters of attacks have varying degrees of connection to APT groups Soft Cell, Naikon and Group-3390—all known to operate in the interest of the Chinese government. Overlaps in attack characteristics across the clusters are evidence of a likely connection between the threat actors, supporting the assessment that each group was tasked with parallel objectives in monitoring the communications of specific high value targets under the direction of a centralized coordinating body aligned with Chinese state interests.
  • These attacks compromised telcos primarily in ASEAN countries, but the attacks could be replicated against telcos in other regions. While the prevailing assessment is that the operations were intended for espionage purposes only, the fact remains that, had the attackers decided to change their objectives from espionage to interference, they would have had the ability to disrupt communications for any of the affected telecoms’ customers.

According to the firm’s CEO and co-founder Lior Div: “These state-sponsored espionage operations not only negatively impact the telcos’ customers and business partners, they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region’s stability.”