Telecommunications Giant Targeted by State-Sponsored Hackers
A prominent telecommunications company in Asia was reportedly infiltrated for over four years by Chinese state-sponsored hackers, as revealed in a recent report by cybersecurity firm Sygnia. Although the identity of the affected telecom provider remains undisclosed, the incident highlights the vulnerabilities in critical infrastructure and the sophisticated tactics employed by cyber adversaries.
Sygnia is investigating the incident under the codename Weaver Ant, characterizing the attackers as stealthy and notably persistent. The firm detailed that the hackers utilized web shells and tunneling techniques to establish continuous access, facilitating extensive cyber espionage and the collection of sensitive data. Sygnia remarked, “The group behind this intrusion aimed to gain and maintain continuous access to telecommunication providers.”
The attackers exploited a misconfiguration in a public-facing application to secure their initial entry point into the organization’s network. This breach allowed them to deploy multiple web shells, including an encrypted variant of the widely-used China Chopper and a new, undocumented malicious tool named INMemory. The methodical use of well-known tools by multiple Chinese hacking factions underscores a concerning trend in state-sponsored cyber operations.
INMemory is notably designed to execute Base64-encoded payloads directly in memory, eliminating traces that could facilitate forensic investigations. The intrusion chain involved executing C# code buried within a portable executable file, ‘eval.dll,’ to run malicious commands and deliver subsequent payloads. Notably, these web shells enabled lateral movement through the network using advanced tunneling strategies, similar to tactics employed by previously identified threat actors.
Moreover, the traffic traveling through these web shell tunnels allowed for a range of post-exploitation activities. This included circumventing detection systems, executing PowerShell commands covertly, and running reconnaissance tasks against the compromised Active Directory environment to map out high-privilege accounts and critical infrastructure.
Sygnia’s findings indicate that Weaver Ant displays common characteristics associated with China-linked cyber espionage operations. The group demonstrated defined targeting patterns and a systematic approach typical of state-sponsored actors. The investigation also revealed the use of an Operational Relay Box network employing Zyxel routers to further obscure their digital infrastructure, alongside the characteristic working hours of Chinese hackers.
In a parallel development, China’s Ministry of State Security has accused four individuals allegedly associated with Taiwan’s military of conducting cyber operations against the mainland, claims that Taiwan has categorically denied. The MSS highlighted these individuals’ involvement in various cyber tactics, including phishing attacks and disinformation campaigns.
As the cybersecurity landscape continues to evolve, the ongoing investigation into the Weaver Ant breach serves as a stark reminder of the persistent threat posed by state-sponsored cyber adversaries. Notably, tactics associated with the MITRE ATT&CK framework, such as initial access through exploitation of vulnerabilities and persistence via web shells, are reflective of the growing complexity and sophistication of attacks targeting critical infrastructure across the globe. This incident underscores the imperative for organizations to bolster their cybersecurity measures to defend against increasingly sophisticated threats.
