Chinese State-Sponsored Hackers Target Southeast Asian Telecoms

A recent cybersecurity analysis reveals that Chinese nation-state hackers have infiltrated mobile telecommunications networks across Southeast Asia, ostensibly to track the locations of individuals, as reported by security researchers. The operation, identified by Palo Alto Networks’ Unit 42, involved a hacking group dubbed CL-STA-0969, which has not been linked to data theft or communication with end-user devices.

The infiltration, spanning from February to November 2024, utilized a mix of custom backdoors and publicly available tools aimed at several mobile operators. One significant indicator of the hackers’ objectives was the use of a custom-developed network scanning tool, named CordScan, which captures mobile telecom communication protocols, including those that track device locations.

Evidence connects the CL-STA-0969 group to activity previously identified as Liminal Panda by CrowdStrike. This actor focuses on low-security organizations affiliated with telecommunications, leveraging intricate knowledge of mobile protocols to execute their strategies effectively. While CrowdStrike suggests a loose connection to official Chinese hacking efforts, Unit 42 attributes CL-STA-0969 to Beijing with a high degree of certainty.

The initial access granted to the attackers was reportedly achieved through brute-forcing SSH credentials using a tailored dictionary of usernames and passwords specific to telecom equipment. Following this breach, the hackers deployed various backdoors, including one named NoDepDNS, which operates through port 53 known for DNS traffic, enabling malicious communications to evade detection.

To maintain stealth and persistent access, they camouflaged their malware with names resembling legitimate telecom processes, manipulated binary timestamps—a technique known as timestomping—and altered Security-Enhanced Linux configurations to operate in a “permissive” mode, which reduces the enforcement of security policies while logging events. Additionally, the attackers utilized tools to erase their activities from authentication logs.

Unit 42 noted that the combination of malware, tools, and techniques employed illustrates a methodical approach aimed at ensuring long-term and unobtrusive access. This incident aligns with a troubling trend of state-sponsored attacks on communications infrastructure, exemplified by groups such as Salt Typhoon targeting U.S. telecoms.

During a Senate hearing in November, CrowdStrike executive Adam Meyers highlighted the increasing focus by China on large-scale data collection, categorizing communication networks as particularly vulnerable targets. Meyers emphasized that gathering extensive information could benefit their political, military, or intellectual property agendas.

As cyber threats evolve, business leaders must remain vigilant, implementing robust cybersecurity measures to protect their networks from tactics that align with the MITRE ATT&CK framework, including initial access, persistence, and privilege escalation techniques used effectively in this significant breach.