State-sponsored Threat Groups Target Telcos, Steal 5G Secrets

Researchers say China-linked APTs lure victims with bogus Huawei career pages in what they dub ‘Operation Diànxùn’.

Chinese-language APTs are targeting telecom companies in cyberespionage campaigns aimed at stealing sensitive data and trade secrets tied to 5G technology, according to researchers.

The campaigns, dubbed “Operation Diànxùn”, target and lure victims working in the telecom industry. A typical ploy includes a fake website designed to mimic telco-giant’s Huawei career page.

“While the initial vector for the infection is not entirely clear. [We believe] with a medium level of confidence that victims were lured to a domain under control [a] the threat actor, from which they were infected with malware,” according to McAfee researchers in a Tuesday report.

Given the tactics used in the campaign, researchers surmised it to be the work of known Chinese-language APTs RedDelta and Mustang Panda. RedDelta was last believed to be behind cyberattacks against the Vatican and other Catholic Church-related institutions last year. In those attacks, adversaries leveraged spear phishing emails laced with malware that ultimately pushed the PlugX remote access tool (RAT) as the final payload.

Meanwhile, Mustang Panda has been linked to cyberespionage attacks on non-governmental organizations (NGOs) with a focus on gathering intelligence on Mongolia by using shared malware like Poison Ivy or PlugX. The group also is known to shift tactics and adopt new tools quickly, researchers have noted.

This time around, the groups seem to be gunning for sensitive data and aiming “to spy on companies related to 5G technology,” researchers wrote. The campaign is likely related to a number of countries’ decision to ban the use of Chinese equipment from Huawei in the global rollout of the next-generation wireless telecommunications technology, researchers suggested.

The APTs used a multi-phased approach to the attacks, with the initial delivery vector likely coming in the form of a phishing attack using the internet as the first point of contact with victims, researchers said with “a medium level of confidence.”

Once someone falls for this aspect of the campaign, the second phase executes a .NET payload on the victim’s endpoint by leveraging Flash-based artifacts malware, according to the report.

“While the execution of the initial fake Flash installer acts mainly like a downloader, the [.NET] payload contains several functions and acts as a utility to further compromise the machine,” researchers wrote. “This is a tool to manage and download backdoors to the machine and configure persistence.”

In the third and final phase of the attack, threat actors create a a backdoor for remote control of the victim via a Command and Control Server and Cobalt Strike Beacon, according to the report.

Researchers recommend “an adaptive and integrated security architecture” to defend against multi-layered attacks such as Diànxùn, “which will make it harder for threat actors to succeed and increase resilience in the business.”

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:

Suggested articles

Black Hat and DEF CON Roundup

‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.