Attack protection specialist Cybereason has targeted threat operators working on behalf of “Chinese state interests” as if they were behind the attacks on telecom operators operating in Southeast Asia – some of them searching for infiltrated information networks for high-end targets. value from 2017
The Cybereason DeadRinger report, published today, described the attacks as being carried out by “highly adaptive” groups who “worked hard to hide their activities and maintain persistence on infected systems”.
However, the telecommunications companies themselves were not the main targets, but a source for monitoring activists, politicians, business leaders and others.
“Telecommunications operators are a major target for spyware at the national level for a variety of reasons, including the ability to gather information about the telecommunications company’s subscribers,” Asaf Dahan, senior director and head of threat research at Cybereason, told The register. “Knowing the location of people you’ve talked to or sent text messages to can be key to facilitating cyber espionage and building profiles on a target list.
“We identified hundreds of gigabytes of data extracted from the environment during our investigation. The actors in the threat were after high-value targets, including business leaders, government officials, politicians, political activists, law enforcement officials, human rights activists and anyone who is the Chinese government feeling is of interest. “
Perhaps the most surprising – and disturbing – finding in the report: intruders have been working in some of the systems for years, in one case until 2017. As for how they could go unnoticed for so long: “It’s not easy a question for an answer, “Dahan told us.” I will still give possible explanations.
“First, the groups involved in these intrusions are considered APTs of the highest level [Advanced Persistent Threat] groups known for their sophistication, advanced techniques and stealth. One of their main goals was to maintain access to telecommunications operators’ networks and stay on the radar for as long as possible, and APT groups are investing heavily in their efforts to cover their tracks.
“Second, each organization has its own security position, relying on various security measures and tools put in place to protect the network,” Dahan continued. “Not all security tools are born equal, and unfortunately traditional security tools can often miss complex attacks. Third, even the best security solution must be used by people at the end of the day – and people can make mistakes. “
The report found that three groups were involved in the attacks, described as “having significant links to prominent actors in the threat, all suspected of acting on behalf of Chinese state interests”: Soft Cell, “acting in China’s interest”; Naykon’s APT group, “formerly assigned to the Second Technical Intelligence Bureau of the Chinese People’s Liberation Army of Chengdu”; and a smaller third group that may be associated with a threat called Group-3390, also known as Emissary Panda.
“It should be noted that the Cybereason Nocturnus team also observed an interesting overlap between the three clusters,” the report added. “In some cases, all three activity clusters were observed in the same target environment, around the same time frame, and even at the same endpoints.
“At this stage, there is not enough information to determine with certainty the nature of this overlap – namely whether these clusters represent the work of three different threat actors, working independently, or whether these clusters represent the work of three different teams acting on behalf of a single participant in the threat. “
“The attacks are very worrying because they undermine the security of critical infrastructure providers and reveal confidential and proprietary information to both public and private organizations that depend on secure communications to do business,” said Cybereason chief and co-founder Lior Div of statement of findings.
“These state-sponsored espionage operations not only have a negative impact on telecommunications company’s customers and business partners, but also have the potential to threaten the national security of countries in the region and those with a personal interest in stability in the region.”
While Cybereason’s research focuses on telecommunications in Southeast Asia, Dahan told us that the same APT groups were responsible for some attacks on many industries, including telecommunications, around the world – and advised how potential targets should be defended.
“First, I would recommend that they take a closer look at the study report – try to use our trade-off indicators, and especially our behavioral indicators, and slide through their organization’s network in search of such signs of compromise,” he told us.
“In addition, I would recommend that they map the threats associated with their organization (threat modeling), find out who can target them, and then proactively look for indicators and tactics, techniques and procedures related to these groups of threats.
“Finally, I recommend that you make sure that they have the appropriate security tools, that they have a good ability to respond to incidents and other security procedures that can handle different types of attacks.”
The full report is available at Cybereason website. ®