A diagram of the three APTs acting against Southeast Asian telecoms.
Image: Cybereason

New research has been published that points the finger at the Chinese government for being behind hacks of major telecommunications companies around Southeast Asia, all for the purpose of spying on high-profile individuals.

Published by Cybereason, the report said that it found evidence of three different clusters of attacks going back to at least 2017, all perpetrated by groups or individuals connected in some way to advanced persistent threat (APT) groups Soft Cell, Naikon and Group-3390, which have each operated for the Chinese government in the past.

SEE: Security incident response policy (TechRepublic Premium)

Cybereason said it believes the goal of the attacks was to established continuous access to telecom provider records “and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers.”

Those up-to-date on the latest cybersecurity news will probably have heard of the exploit the attackers used to establish access. It’s the same one Chinese-based hacking group Hafnium used, and it’s the same one that allowed attackers to infiltrate SolarWinds and Kaseya: A set of four recently disclosed Microsoft Exchange Server vulnerabilities.

Target selection follows suit with SolarWinds, Kaseya and Hafnium attacks as well: APTs in those instances compromised third parties with the intent to surveil high-value customers of the affected organizations, like political figures, government officials law enforcement, political dissidents and others.

Cybereason said its team started looking into Exchange vulnerabilities immediately after the Hafnium attacks “During the investigation, three clusters of activity were identified and showed significant connections to known threat actors, all suspected to be operating on behalf of Chinese state interests,” the report said.

Overlap between the three clusters has occurred, Cybereason said, but it can’t figure out why: “There is not enough information to determine with certainty the nature of this overlap — namely, whether these clusters represent the work of three different threat actors working independently, or whether these clusters represent the work of three different teams operating on behalf of a single threat actor,” the report said.

Regardless of origin, the attacks have been very adaptive and actively maintain the backdoors they have into telecom networks. The report found that “attackers worked diligently to obscure their activity and maintain persistence on the infected systems, dynamically responding to mitigation attempts,” which it said indicates that the targets are highly valuable to the attackers.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

“These attacks compromised telcos primarily in ASEAN countries, but the attacks could be replicated against telcos in other regions,” the report concluded. As is often the case with widely publicized exploits used by APTs and cybercriminals, patches are available that close the gaps, and it’s in the best interest of companies using Microsoft Exchange both in-house and through Outlook Web Access (targeted by one of the clusters).

For more information on the report, be sure to attend Cybereason’s Aug. 5 seminar, where it will discuss its findings.