Posted on August 3, 2021 at 2:43 PM

Research Exposes Chinese Hackers in Attack Affecting Five Global Telecom Firms

Five global telecommunication firms have been hacked in an espionage attack reportedly sponsored by China. According to research, various hacking groups affiliated with China compromised the telecom companies to steal various details such as location data and phone records.

The research also stated that the hacking groups targeted telecom firms in Southeast Asia from 2017 to 2021. In various instances, the groups also exploited security vulnerabilities to gain access to the internal systems of the telecommunication companies. According to Cybereason Inc, a cybersecurity firm based in the US, the vulnerabilities were exploited using Microsoft Corp’s Exchange servers.

Hackers Affiliated to China

According to Cybereason’s CEO, Lior Div, the hackers gained complete control of the telecommunications companies they attacked in what Div termed as the ‘holy grail of espionage.’ Cybereason also stated that the names of the responsible hacking groups were Group-3390, Naikon and Soft Cell, but refrained from mentioning that the said firms were affiliated to China.  

Div also commented on the negative implications of the hacking attacks to not only the telecom companies but also their stakeholders, including customers and business associates. “They also have the potential to threaten the national security of countries in the region,” Div added.

China is yet to give an official response to the claims. However, Zhao Lijan, a spokesperson for the Chinese government, denied that the hacking groups exploited vulnerabilities on Microsoft Exchange servers.

During a press briefing on July 20, Lijan stated that “the US ganged up with its allies and launched an unwarranted accusation against China on cybersecurity.” Lijan added that the claims were a political move and a mere smear campaign, and that China will not accept the allegations.

On the other hand, Microsoft is yet to comment on the issue. According to a spokesperson for the firm, Microsoft has not yet obtained the report on the infiltration.

Although Cybereason failed to mention the country to which these hacking groups were affiliated, it mentioned that the hack targeted telecommunication firms in Southeast Asian countries with conflicts with China.

The report also referenced earlier research from Check Point Software Technologies Ltd. The research showed that one of the mentioned hacking groups had targeted Indonesia, the Philippines and Vietnam by compromising various ministries, including foreign affairs, science and technology.

Since it was an espionage attack, the motive was mainly to obtain information essential to the Chinese government. The information gathered most likely belonged to companies, government officials, politicians, law enforcement agencies and other groups whose details would matter.

Sophisticated attack 

Cybereason also mentioned that the hackers operated in a ‘highly sophisticated and adaptive’ manner to give them control over the compromised systems. The report also mentioned that besides espionage, the groups could shut down or interfere with the compromised networks.

The research firm also mentioned that the hacking groups took measures to avoid detection by the security mechanisms put in place by these telecom firms. Cybereason pointed out to one hacking group that used the recycle bin folder to hide its malicious software. Another hacking group hid its malicious activities within anti-virus software. The group could also spy on a user’s typing activities using ‘PotPlayer’, a multimedia player from South Korea that infected computer systems with a keylogger. 

One of the most concerning methods used in the hacking process was exploiting vulnerabilities on Microsoft exchange servers. Soft Cell, one of the hacking groups mentioned in the report, exploited this security vulnerability for three months before Microsoft alerted its users of the security weakness in March 2021.

Before this report by Cybereason, China has initially been linked to exploiting Microsoft Exchange servers. The allegations tabled by both the US and the UK on July 19 stated that Chinese threat actors with ties to the Chinese government were responsible for the hacks associated with the said servers.

Dominic Rab, the UK Foreign Secretary, stated that “the Chinese government must end this systematic cyber sabotage and can expect to be held in account if it does not.”

The US Justice Department also recently charged four Chinese nationals who, according to prosecutors, were working with the Chinese Ministry of State Security to launch a hacking campaign that targeted various computer systems, including corporations, government agencies and universities.