Posted on March 17, 2021 at 4:19 PM
A recent report reveals that threat actors are targeting people working in the telecommunications industry using a fake Huawei company website.
The report was revealed by security software provider McAfee. The company added that the hackers are gradually spreading their targets. The cyberattack is termed ‘Operation Diànxùn’ by McAfee’s threat intelligence unit. According to the team, the threat actors concentrate mostly on companies based in India, Vietnam, Germany, the US, as well as companies based in Southeast Asia.
The cybersecurity team revealed that the new hacking campaign may have been spurred by the ban of Chinese equipment in the global 5G rollout. The phishing campaign focuses on the exploitation of systems containing sensitive details about the 5G technology.
The group responsible for the campaign is RedDelta or Mustang Panda. The group has been known for several espionage campaigns that target organizations around the globe. However, it seems they have shifted focus towards the compromise of telecom companies.
23 companies were targeted
The report reveals that the hacking attempt may have targeted not less than 23 telecom companies. However, it’s not clear how many of the targeted companies were impacted by the hacking incident. Surprisingly, the campaign has been active since August last year, but was only discovered recently.
Also, it’s not yet clear how the hackers initially infected the affected systems. But victims are redirected towards a malicious phishing domain controlled and managed by the hackers. This domain is used by the threat actors to send the malicious files to victims.
The fake Huawei careers site bears strong resemblance to the genuine website, which can easily deceive anyone who does not suspect anything. But the researchers confirmed that Huawei is not involved in the campaign and isn’t aware a site is faking its identity.
Researchers John Fokker, Thibault Secret, and Thomas Roccia detailed their findings about the new malware campaign, and stated that the malware fronted as Flash applications.
The security researchers said they discovered two domain names purportedly used for the hacking attempt, both carrying the name of the Chinese telecommunications company – hxxp://update.huaweiyuncdn.com and career.huawei.com.
The sample faking the flash application also used a malicious domain name “hxxp://flach.cn”, also designed to resemble the official web page for the download of Flash application, flash.cn.
Cobalt Strike backdoor used by the group
McAfee researchers also stated that the campaign group used the Cobalt Strike backdoor, which was responsible to targeting more than 600 exchange servers, and some of them were based in the UK, according to ESET.
Users who visit the fake site unknowingly get the malicious flash app used to deliver the Cobalt Strike backdoor to the visiting system. This eventually provides the threat actors with visibility on the system and the access to gain and steal sensitive information.
The attack seems to be designed to only target those with important information about the 5G technology.
Operation Diànxùn has been linked previously to other hacking incidences by the Chinese groups. The malware deployed and the nature of the attack is similar in tactics and methods to those used by Operation Diànxùn in the past.
There is also a high chance that the attack is still ongoing.
“We believe the campaign is still ongoing. We spotted new activity last week with the same TTPs,” the McAfee cybersecurity team stated.
Protecting against attack
The security team has also advised how users can protect themselves against malicious attacks like this. One way to ensure protection against such attacks is to properly train staff to recognize when they are redirected to a malicious page. The researchers also added that it may still be very tricky to recognize these malicious redirections as threat actors have evolved a lot in their attack sophistication.
They have learnt how to imitate a website to make it almost impossible to differentiate the fake from the original.
But having an expansive strategy for applying security updates timely will protect networks from cyberattacks, the security researchers pointed out.