A string of recently discovered digital intrusions appears to indicate that hackers linked to China are increasingly savvy when it comes to evading detection once they infiltrate a victim’s network.
That conclusion comes from researchers at SentinelLabs and the German IT services company QGroup GmbH who studied several cyber intrusions into unnamed Middle Eastern telecoms. Those attacks indicated that a years-long Chinese-aligned cyberespionage operation has been actively updating its abilities using a series of modifications to a widely used credential theft software package, researchers said in a joint analysis published Thursday.
The “finding highlights the increased operational tempo of Chinese cyberespionage actors and their consistent investment in advancing their malware arsenal to evade detection,” the researchers said.
The operation in question — known as Operation Soft Cell — has been linked to various Chinese-aligned hacking efforts focused on telecom targets around the world such as those tracked by Microsoft as Gallium, which dates back to at least 2012, or APT41, known to engage in Chinese-linked cyberespionage as well as financially motivated activity “potentially outside of state control,” according to Mandiant.
Conclusive attribution isn’t possible yet, said the SentinelLabs and QGroup researchers. But given previous targeting and tactical details, researchers said they’re assessing with medium confidence that Gallium “is involved,” however, “we also recognize the possibility of closed-source tool-sharing between Chinese state-sponsored threat actors, and the possibility of a shared vendor or digital quartermaster.”
The analysis focused on a malware sample that revealed a series of custom modifications to Mimikatz, open-source software that hackers and researchers use for credential theft and privilege escalation once inside a system. In this case, the attackers used access to compromised Internet-facing Microsoft Exchange servers to deploy web shells used for command execution, the researchers wrote, allowing for reconnaissance of the system, credential theft, lateral movement and data exfiltration.
They then ceased their activities after stealing credentials. “This could indicate a multi-phase attack strategy, where the deployment of backdoors and further persistence mechanisms is carried out separately after credential theft has ensured continued access,” the researchers wrote in their report. The intrusions were detected and interrupted before the attackers could carry out further phases, such as deploying backdoors, the researchers added.
“Chinese cyberespionage threat actors are known to have a strategic interest in the Middle East,” the researchers concluded. “This is evident from their consistent targeted attacks on various entities including government, finance, entertainment, and telecommunication organizations. The recent activities targeting the telecommunication sector this post discusses are some of the latest such attacks.”