Cyber Attacks Target Middle East Telecommunications Amid Ongoing Espionage Campaign
Telecommunication companies in the Middle East have recently become the focus of a series of cyber attacks that began in the first quarter of 2023. These attacks have been tied to a Chinese cyber espionage group linked to a protracted campaign known as Operation Soft Cell. Security researchers from SentinelOne and QGroup uncovered that the initial phase of these attacks involved breaching internet-accessible Microsoft Exchange servers. This allowed attackers to deploy web shells, enabling various activities including command execution.
Once the attackers establish a foothold within the network, they engage in reconnaissance, credential theft, lateral movement, and data exfiltration, as detailed in a technical report shared with The Hacker News. According to Cybereason, Operation Soft Cell has targeted telecommunications since at least 2012, indicating a long-standing strategic interest in this sector.
Microsoft has identified this threat actor under the name Gallium, emphasizing its focus on unpatched internet-facing services. The group’s tactics include the use of tools such as Mimikatz, which facilitate lateral movement by allowing attackers to harvest credentials across the targeted networks. In recent campaigns, a specialized version of Mimikatz dubbed mim221 has been deployed, featuring enhanced anti-detection capabilities.
Additionally, the attackers have utilized a discreet backdoor known as PingPull in espionage operations, affecting organizations across Southeast Asia, Europe, Africa, and the Middle East. This underscores a systematic approach to tool development aimed at maximizing stealth and effectiveness in conducting espionage activities.
Remarkably, these recent attempts were thwarted before any successful implantations could compromise the targeted networks. The breaches were detected and mitigated promptly by cybersecurity teams, preventing potential data exposure and further infiltration.
Research into the Gallium threat group indicates tactical parallels with other Chinese state-sponsored entities such as APT10, APT27, and APT41. These similarities suggest a collaborative approach among various threat actors, pointing to a broader ecosystem of cyber espionage within Chinese state-sponsored operations. The potential presence of a “digital quartermaster” for tool-sharing among these groups raises concerns regarding the sophistication and coordination of cyber attacks.
Recent revelations have also highlighted other hacking groups, including BackdoorDiplomacy and WIP26, targeting Middle East telecom services. According to Juan Andres Guerrero-Saade, senior director at SentinelLabs, while these groups operate independently from the Soft Cell activity, their targeting underscores the high value placed on telecom sectors by Chinese cyber operatives.
The ongoing interest of Chinese cyber espionage actors in the Middle East reveals a strategic focus that is unlikely to wane. Researchers anticipate that these threat actors will continue to enhance their arsenals, incorporating new techniques for evading detection, including the integration and modification of publicly available code. As the cybersecurity landscape evolves, it is essential for business owners to remain vigilant and proactive in fortifying defenses against such sophisticated cyber threats.
