Chinese Hackers Deploy GHOSTSPIDER Malware to Target Telecoms in Over 12 Countries

Recent analysis has revealed that the China-linked hacking group, known as Earth Estries, is employing a previously unidentified backdoor named GHOSTSPIDER in its cyber operations directed at telecommunications firms in Southeast Asia. This development highlights an evolving threat landscape, where traditional boundaries of cybersecurity are increasingly tested.

Trend Micro, which characterizes Earth Estries as an aggressive advanced persistent threat (APT), reports that the group’s operations have also utilized a cross-platform backdoor known as MASOL RAT (also referred to as Backdr-NQ), targeting Linux systems within Southeast Asian governmental networks.

Earth Estries is estimated to have successfully breached over 20 organizations across various sectors, including telecommunications, technology, consulting, chemicals, transportation, and non-profit organizations. Victims are spread across more than a dozen countries, including Afghanistan, Brazil, India, Indonesia, Malaysia, and the United States, highlighting the wide-reaching implications of their activities.

According to reports, Earth Estries shows overlaps with other hacking clusters identified by cybersecurity firms, such as FamousSparrow and GhostEmperor. The group’s activity has been tracked since at least 2020, with evidence suggesting that it leverages a diverse range of malware to infiltrate telecommunications and government entities in regions as varied as the U.S., Asia-Pacific, the Middle East, and South Africa.

Recent findings, including a report by The Washington Post, indicate that Earth Estries has made significant inroads into U.S. telecom companies, with the U.S. government identifying and notifying as many as 150 victims of cyber intrusions attributed to this group.

Among the malware tools utilized by Earth Estries are the Demodex rootkit and Deed RAT, the latter of which appears to be a successor to the widely used ShadowPad. The group has also employed a variety of other backdoors and information stealers, including Crowdoor and SparrowDoor. Initial access to compromised networks is often gained through the exploitation of known vulnerabilities, notably in systems such as Ivanti Connect Secure and Microsoft Exchange Server.

The customized malware used by Earth Estries, including Deed RAT, serves as a critical element in conducting long-term cyber espionage. Analysis of their operations suggests that different attackers may launch targeted campaigns across varying regions and industries, each managed by distinct infrastructure teams, illustrating the organizational complexity of this APT.

Security researchers have noted that GHOSTSPIDER, in particular, is a sophisticated and modular implant capable of communicating with attacker-controlled infrastructure via a custom protocol secured by Transport Layer Security (TLS). This complexity and modularity cause significant challenges in detection and mitigation efforts for organizations vulnerable to such threats.

Cybersecurity experts highlight that Earth Estries exemplifies a maturation in China’s cyber capabilities, transitioning from isolated incursions to broader strategies aimed at sustained surveillance and extensive data collection from managed service and internet service providers. As telecommunications companies face increasing scrutiny from multiple threat actors, businesses are urged to bolster their defenses against these evolving techniques, especially those that correlate with tactics identified in the MITRE ATT&CK framework, such as initial access and persistence through exploitation of software vulnerabilities.