Go to listing page

DeadRinger APT Group Targets Southeast Asian Telecommunications Firms

DeadRinger APT Group Targets Southeast Asian Telecommunications Firms
Three cyberespionage campaigns have been discovered targeting networks of major telecommunications firms in Southeast Asia. Recently, Cybereason Nocturnus released a report on the cyberattackers believed to be aligned with Chinese interests and are now being tracked as DeadRinger.

What happened?

According to Cybereason, attackers compromised centralized vendors to target the network of major telcos.
  • The attacks are suspected to be carried out by APT groups associated with the Chinese nation-state due to the overlap in tactics and techniques with other Chinese APT groups.
  • The goal of the campaigns was to target telecommunications firms to facilitate cyber espionage by gathering important information and subsequently target high-profile assets of the firms.

About the three campaigns

Experts found three clusters of activity with the oldest attack traced back to 2017.
  • The first cluster was likely performed by the Soft Cell APT group, which started its attack in 2018. The threat group has been active since 2012 and its attacks are aligned with the Chinese interests.
  • The second attack is allegedly linked to Naikon, which has been targeting telcos since Q4 2020. Naikon is suspected to be connected with the military bureau of the Chinese People's Liberation Army (PLA). 
  • The third attack campaign has been linked to APT27 (or Emissary Panda), with activities observed between 2017 and Q1 2021. The group was spotted using a unique backdoor to target Microsoft Exchange servers.


Attack techniques

The report provides information regarding attack techniques.
  • It details the exploitation of Exchange Server vulnerabilities; use of China Chopper, Mimikatz, and Cobalt Strike beacons; and backdoors with C2 for data exfiltration.
  • The assets include billing servers with Call Detail Record (CDR) data, along with key network components such as the web servers, domain controllers, and Microsoft Exchange servers.

Conclusion

At present, there is no clear evidence if all three attack campaigns are interconnected or operated independently. However, the connection with Chinese threat actors is a great concern for telecoms. Therefore, telcos firms are advised to erect a security wall that protects them from such attacks.

Cyware Publisher

Publisher

Cyware