McAfee Advanced Threat Research (ATR) Strategic Intelligence team has uncovered a long-lasting cyber-espionage operation targeting major telecommunication providers worldwide. According to security researchers, Chinese nation-baked hackers have planted malware to the networks of multiple US, EU, and SouthEast Asian telecom firms to carry out reconnaissance and steal secret information linked to 5G technology. The malicious campaign was presumably launched on behalf of the Beijing government in response to the ban of Chinese technology within 5G rollouts across the targeted regions.
An in-depth analysis of the tactics, techniques, and procedures (TTPs) ties the campaign to the Chinese APT actor known as Mustang Panda or RedDelta. Previously, this hacker collective was spotted attacking Catholic organizations, Mongolian NGOs, and US-based think tanks. However, in August 2020, the group shifted to malicious activities related to Operation Dianxun, targeting dozens of telecommunication firms to spy on their networks.
The initial infection vector is currently unknown, however, McAfee experts suggest that attackers redirect victims to a phishing domain that delivers malicious software to their systems. Particularly, users are prompted to visit a bogus website disguised as the Huawei company career page. This page tricks victims into downloading a fake Flash application, which acts as a loader and drops a DotNet utility onto the targeted machine. DotNet tool works for gaining persistence, performing reconnaissance, and loading second-stage backdoors to the compromised network. The in-depth analysis reveals that in most cases DotNet delivers a Cobalt Strike attack kit in the form of a base64 gzip file. Chinese hackers leverage Cobalt Strike at the latest stages of intrusion to move laterally across the compromised network and search for valuable data associated with 5G technology.
Security experts note that Huawei itself is not connected to this malicious operation by any means, in fact, being a victim of the nefarious actions. Furthermore, researchers believe the campaign is still ongoing since they have recently spotted malicious activity based on the same TTPs.
To detect possible attacks associated with Operation Dianxun, our keen Threat Bounty developer Emir Erdogan released a dedicated community Sigma rule:
The rule has translations to the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix
EDR: Carbon Black, Microsoft Defender ATP
Tactics: Execution, Persistence, Privilege Escalation
Techniques: Scheduled Task (T1053)
Subscribe to Threat Detection Marketplace, the industry-first SaaS platform that aggregates 100,000+ detection and response rules easily convertible to various formats. Enthusiastic about creating your own detection content and contributing to global threat hunting initiatives? Join our Threat Bounty Program and get rewarded for your input!