A cyber espionage campaign is targeting telecoms companies around the world with attacks using malicious downloads in an effort to steal sensitive data – including information about 5G technology – from compromised victims.
Uncovered by cybersecurity researchers at McAfee, the campaign is targeting telecommunications providers in Southeast Asia, Europe and the United States. Dubbed Operation Diànxùn, researchers say the attacks are the work of a hacking group working out of China.
The group, also known as Mustang Panda and RedDelta, has a history of hacking and espionage campaigns targeting organisations around the world – and now it appears to be focused on compromising telecoms providers.
At least 23 telecommunications providers are suspected to have been targeted as part of the campaign which has been active since at least August 2020. It hasn’t been disclosed how many of the targets were successfully compromised by hackers.
While the initial means of infection hasn’t yet been identified, it’s known that victims are directed towards a malicious phishing domain under the control of the attackers which is used to deliver malware to victims.
According to researchers, the malicious web page masquerades as a Huawei careers site, which has been designed to look indistinguishable from the real thing. The researchers emphasised that Huawei itself isn’t involved in the cyber espionage campaign.
When users visit the faked site, it delivers a malicious Flash application which is used to drop the Cobalt Strike backdoor onto the visiting machine, ultimately providing attackers with visibility on the machine and the ability to collect and steal sensitive information.
The attacks appear to specifically be designed to target those who have knowledge of 5G and stealing sensitive or secret information in relation to the technology.
Researchers have linked Operation Diànxùn to previous hacking operations by Chinese groups due to the attacks and the malware being deployed using similar similar tactics, techniques and procedures (TTPs) to previous campaigns publicly attributed to the group.
Analysis of the attacks suggest that the campaign is still actively attempting to compromise targets in the telecommunications sector.
“We believe the campaign is still ongoing. We spotted new activity last week with the same TTPs, meaning the actor and the campaign are still running,” Thomas Roccia, security researcher in the McAfee advanced threat research strategic intelligence team told ZDNet.
With malicious domains playing such a significant role in this campaign, one way to help protect against attacks could be to train staff in being able to recognise if they’ve been directed towards a fake or malicious website – although given how cyber attackers have become very good at building highly accurate fake sites, this could be tricky.
Having a robust strategy for applying security updates and patches in a timely manner can also help protect networks from cyber attacks, because a network with the latest updates applied is more robust when it comes to preventing hackers exploiting vulnerabilities.
MORE ON CYBERSECURITY