Assaf Dahan, Senior Director, Head of Threat Research, Cybereason
Two years ago, the Cybereason Nocturnus team uncovered a worldwide malicious campaign against telecommunications providers dubbed “Operation Soft Cell.” The researchers at Cybereason have uncovered a new series of pervasive attacks targeting some of the largest telecommunications providers in Southeast Asia—an ongoing espionage campaign that has been active for years. The campaign, dubbed “DeadRinger”, is detailed in a new report from Cybereason.
Threat researchers at Cybereason discovered multiple threat actors from China infiltrating telecommunications companies in Southeast Asia. Similar to recent attacks like SolarWinds and Kaseya, the DeadRinger attackers compromised a third-party provider in order to conduct surveillance of specific high-value targets.
Recent activity from the attackers exploits recently publicly disclosed vulnerabilities in Microsoft Exchange—such as the vulnerabilities at the heart of the HAFNIUM attacks earlier this year. The nefarious actions go much farther back, though, with evidence showing activity at least as far back as 2017.
The observed tactics reveal that the threat actors are primarily after call logs in order to conduct cyber espionage against designated high-profile targets. However, the attackers have access to and control of these telecommunications networks, which could allow China to take other actions as well, such as shutting down telecommunication service to specific people or companies.
Cybereason Nocturnus researchers have identified three separate threat actors. All three have varying degrees of connection with known Chinese APT groups Soft Cell, Naikon, and Group-3390—all entities known to operate in the interest of the Chinese government.
While the targets and tactics are similar in some cases, and there is overlap between them in terms of scope and impact, it does not appear that they are working together or coordinating their efforts. Cybereason believes the different teams were likely assigned parallel objectives to monitor communications of high-value targets under the direction of a central, coordinating body aligned with Chinese interests.
Compromising the telecommunications providers enables the attackers to access and monitor communications without the need to directly hack or compromise the individual targets. Researchers found the attacks to be very adaptive, persistent, and evasive. Attackers worked diligently to hide their activity and maintain persistence on compromised systems—even responding in real-time to mitigation attempts and working to evade security efforts. The level of effort suggests that the targets are of great value to the attackers, and to the entity that is directing the activity of the attackers.
The activity uncovered with DeadRinger compromised telcos primarily in Southeast Asian countries, but the attacks could easily be replicated or expanded to be used against telecommunications providers in other regions as well. Evidence indicates that these attacks were intended specifically for espionage and surveillance purposes only, but the reality is that the attackers can very easily shift from espionage to interference. They have the ability to disrupt or terminate communications for affected telco customers.
It is notable that the DeadRinger report comes on the heels of the Biden Administration coordinating with global allies to condemn the Chinese government for its role in the HAFNIUM attacks targeting vulnerabilities in Microsoft Exchange Server.
The activity uncovered by the Cybereason Nocturnus research team provides insights into how sophisticated APT groups and threat actors are infiltrating critical infrastructure as a stepping stone to access an organization’s intellectual property.
It highlights the need for clearer rules of engagement when it comes to cyber attacks and cyber espionage. Public and private sectors need to cooperate and work together, but how to do that most effectively is still being worked out.
How we defend our businesses today relies heavily on understanding the impact of attacks and how to protect the broader cyber ecosystem. The DeadRinger report is important because it provides intelligence and insight that organizations can use.