Cybereason’s Nocturnus team has uncovered a cyberespionage campaign called DeadRinger, where three threat actors are targeting telecom companies in Southeast Asia.
Tracking their techniques and tactics, researchers linked them to Chinese state groups, as APTs, and intended for stealing sensitive data from the targets. Instead, they’re seen exploiting old vulnerabilities in available machines.
Operating Since 2017
State-sponsored hacking groups aren’t always motivated by monetary means but are data-hungry. Thus, they involve in cyber reconnaissance and supply critical data to their sponsoring governments for a competitive edge.
While many advanced countries have their own Advanced Persistent Threat (APT) groups running covertly, Chinese and Russian are active among the community. And on Tuesday, the cybersecurity wing of Cybereason, Nocturnus has discovered a new campaign revealing three Chinese APT clusters.
All these are aiming at telecommunication companies working in Southeast Asia and have been traced back to 2017. However, the first one among them, named Soft Cell APT, has begun attacking since 2018.
The second was assumed to be from Naikon, started operations late last year, and is linked to the Chinese People’s Liberation Army’s (PLA) military bureau.
And the third was linked to APT27 (Emissary Panda) and was working from 2017 until early 2021. It was seen hitting Microsoft Exchange Servers vulnerabilities long before discovering and deploying other malicious software to harvest more data.
These include the China Chopper web shell, Mimikatz to harvest credentials, Cobalt Strike beacons, and backdoors to connect to their C2 server for data exfiltration. This campaign is collectively called as DeadRinger and was said to be achieving the model of Kaseya and SolarWinds incidents.
Hitting telecom companies can access critical systems like billing servers, which contain the Call Detail Record (CDR) data, and other network components like the domain controllers, web servers, and Microsoft Exchange servers.