Chinese APTs Collectively Called DeadRinger Target Telcos in South Asia

Chinese APTs Collectively Called DeadRinger Target Telcos in South Asia

Researchers discovered cyber espionage campaigns targeting major telecommunications companies and believed to be working for the Chinese state interests.

A new report by Cybereason revealed that the attackers used the name “DeadRinger” and are targeting Southeast Asian telcos. According to a security firm, the “previously unidentified” campaigns are similar to the ones that affected SolarWinds and Kaseya because attackers are trying to secure access to their victims through a centralized vendor.

Based on overlaps in tactics and techniques, Cybereason believes that the attacks were carried out by groups linked to China’s state-sponsored APTs.

The first group, which is believed to be operated by the Soft Cell APT, started its attacks in 2018.

The second group, which was said to be operated by Naikon, started hitting telcos in the last three months of 2020. Naikon is a known Chinese-speaking group whose primary targets are top-level government agencies and civil and military organizations. According to researchers, the group is most likely linked to the PLA’s military bureau.

The third cluster has been conducting attacks since 2017. Researchers attributed the attacks to APT27/Emissary Panda. The group is believed to be previously responsible for planting the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East.

The report also included details about various activities of the threat actor, including exploitation of Microsoft Exchange Server 2007 long before the exploits were made public, the use of Mimikatz to harvest credentials, and backdoors for data exfiltration.

According to Cybereason, the goal of attackers was to collect sensitive information from the telecommunications firms and compromise various network components to facilitate cyber espionage.

In some cases, more than one group was found in the same environment; however, it is not possible to tell if they were working independently or under the instruction of a central actor.

“Whether these clusters are in fact interconnected or operated independently of each other is not entirely clear at the time of writing this report,” the researchers say. “We offered several hypotheses that can account for these overlaps, hoping that as time goes by more information will be made available to us and to other researchers that will help to shed light on this conundrum.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.