Chinese hackers attacked top telcos using Microsoft Exchange flaw
Cybersecurity researchers have shared details about a “highly sophisticated” and wide-ranging campaign against major telecom operators perpetrated by Chinese state-sponsored threat actors.
Discovered by security firm Cybereason, signs of the campaign can be traced all the way back to 2017.
“Based on our analysis, we assess that the goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers,” says the report.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
>> Click here to start the survey in a new window <<
In its detailed analysis, Cybereason draws similarities between the recent SolarWinds and Kaseya attacks, and the campaign against the telcos, in that the threat actors first targeted third-party service providers.
With the telcos though, instead of deploying malware, the attackers instead leverage them to conduct surveillance.
Threat to national security
In its analysis, Cybereason notes that in some cases the attackers even used the recently reported vulnerabilities in Microsoft’s Exchange Servers, similar to the Hafnium attacks. Some even hid their tools in the computers’ recycle bin, while another exploited trusted security tools, especially antivirus software.
The report doesn’t specifically name the targeted countries, but points out that the targeted telcos are located in ASEAN countries, some of which have long term publicly known disputes with China.
While the intention of the entire operation seems restricted to espionage, Cybereason argues that their access gave the attackers the ability to disrupt the networks just as easily, threatening national security.
“The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organizations that depend on secure communications for conducting business,” commented Cybereason’s co-founder and CEO, Lior Div.