Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Operation Tainted Love - Chinese APTs target telcos in new attacks

March 2023 by QGroup GmbH & SentinelLabs

In collaboration with QGroup GmbH, SentinelLabs recently observed initial threat activities targeting the telecommunication sector. It is highly likely that these attacks were conducted by a Chinese cyber espionage actor related to the Operation Soft Cell campaign.

The initial attack phase involves infiltrating internet-facing Microsoft Exchange servers to deploy webshells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.

The deployment of custom credential theft malware is central to this new campaign. The malware implemented a series of Mimikatz modifications on closed-source tooling. SentinelLabs’ research details the multi-component architecture and functionality of a sample - referred to as mim221 - a recent version of an actively maintained credential theft capability upgraded with new anti-detection features.

The use of special-purpose modules that implement a range of advanced techniques shows the threat actors’ dedication to advancing its toolset towards maximum stealth.

Key points

SentinelLabs observed initial phases of attacks against telecommunication providers in the Middle East in Q1 of 2023.
This activity represents an evolution of tooling associated with Operation Soft Cell.
While it is highly likely that the threat actor is a Chinese cyber espionage group in the nexus of Gallium and APT41, the exact grouping remains unclear.
SentinelLabs observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly motivated threat actor with specific tasking requirements.

Conclusion

Chinese cyber espionage threat actors are known to have a strategic interest in the Middle East. This is evident from their consistent targeted attacks on various entities, including government, finance, entertainment, and telecommunication organisations. The recent activities targeting the telecommunication sector this report discusses, are some of the latest of such attacks.

SentinelLabs’ analysis of mim221 highlights the continuous maintenance and further development of the Chinese espionage malware arsenal. These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code.

SentinelLabs continues to monitor espionage activities and it is hoped that defenders will leverage these findings to bolster their defences.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts