A prominent telecommunications firm in Asia has reportedly been compromised by Chinese state-backed hackers who managed to remain undetected within the company's systems for more than four years. This information comes from a recent report by the cybersecurity firm Sygnia.

Cyber Espionage Tactics

The threat actor, identified as Weaver Ant, is characterized by its stealth and persistence. Although the telecom provider's identity remains undisclosed, the attackers employed sophisticated methods to maintain access and conduct cyber espionage.

Exploitation and Persistence

The attackers exploited a public-facing application to deploy two web shells: an encrypted version of China Chopper and a newly discovered tool named INMemory. China Chopper is a known tool used by various Chinese hacking groups, while INMemory operates entirely in memory, leaving no forensic evidence.

  • INMemory Functionality: Decodes a Base64-encoded string and executes it in memory, avoiding disk writes.
  • Web Shells: Serve as a platform for delivering further payloads, including a recursive HTTP tunnel tool for lateral movement.

Advanced Techniques for Evasion

The attackers used encrypted traffic through web shell tunnels to perform post-exploitation activities. These included bypassing detection mechanisms and executing reconnaissance commands within the compromised network.

  • Bypassing Detection: Patching Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI).
  • PowerShell Commands: Executed using System.Management.Automation.dll without launching PowerShell.exe.
  • Reconnaissance: Targeted Active Directory to identify high-value accounts and servers.

Attribution to Chinese Cyber Espionage

Weaver Ant's activities align with typical Chinese cyber espionage patterns, including the use of shared tools and infrastructure. The presence of China Chopper, the use of an Operational Relay Box (ORB) network, and specific working hours further support this attribution.

Additionally, the deployment of an Outlook-based backdoor, previously linked to Emissary Panda, highlights the group's sophisticated approach to maintaining access.

Allegations Against Taiwanese Hackers

In a related development, China's Ministry of State Security (MSS) has accused four Taiwanese individuals of conducting cyber attacks against China. These individuals are allegedly part of Taiwan's Information, Communications, and Electronic Force Command (ICEFCOM).

The MSS claims that ICEFCOM engages in phishing, propaganda, and disinformation campaigns, utilizing tools like AntSword, IceScorpion, Metasploit, and Quasar RAT.

APT-Q-20 Activities

Chinese cybersecurity firms have also reported spear-phishing attacks by a Taiwanese threat actor known as APT-Q-20. These attacks involve the use of C++ trojans and command-and-control frameworks like Cobalt Strike and Sliver.

  • Initial Access Methods: Exploitation of N-day vulnerabilities and weak IoT device passwords.
The link has been copied!