McAfee uncovers cyber espionage campaign targeting telcos
Cybersecurity firm, McAfee, has uncovered a major cyber espionage campaign targeting telecommunications companies. The series of attacks, dubbed Operation Diànxùn, has been traced by McAfee, who attribute it to two Chinese hacker groups, RedDelta and Mustang Panda.
“We discovered malware using similar tactics, techniques and procedures to those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda,” commented McAfee researchers Thomas Roccia, Thibault Seret and John Fokker.
In a recent blog post, Roccia, Seret and Fokker note that they believe the purpose of Operation Diànxùn was to steal confidential information relating to 5G technology.
McAfee believes with “a medium level of confidence” that the hackers gained access to their targets using a phishing website disguised as the Huawei company careers page, although they emphasise that they have found no evidence to suggest whether or not Huawei itself was in any way involved in the attack. If they were, hosting the phishing page through their own company site seems like an oddly self-incriminating move, so it’s probably safe to assume that the Chinese tech giant’s involvement doesn’t go any further than that of an unwitting participant.
The malicious domain, hxxp://update.careerhuawei.net (don’t click it), was reportedly designed to look like the legitimate career page for Huawei. On the page, malware masquerading as a Flash application (under the domain name flach.cn) prompted users to sign off on downloading the virus into their own systems.
McAfee, through its research and telemetry, believes strongly that the campaign was targeting German, Vietnamese and Indian telecom companies, and that the campaign has something to do with the increasingly common blacklisting of Chinese companies from the global 5G rollout.
The most infections took root in the US, with the second-highest number found in India, and additional breaches in Vietnam, Italy, Germany, Spain and Eastern Europe. So far, the names of the telecom companies affected by the attacks have not been revealed.
RedDelta is estimated to have been active since May of last year, and made a previous cyber attack against the Vatican, with later breaches “using decoy documents related to Catholicism, Tibet-Ladakh relations and the United Nations General Assembly Security Council, as well as other network intrusion activities targeting the Myanmar government and two Hong Kong universities. These attacks mainly used the PlugX backdoor using DLL side loading with legitimate software, such as Word or Acrobat, to compromise targets.”
Cybercrime around the world has been on the rise over the past year, as the pandemic radically reshaped the ways in which many people access the internet, as well as massively increasing the number of people online, working and learning from unsecured home networks.
A report released in December by Russian cybersecurity firm Kaspersky found that there was a 242% growth of attacks on Remote Desktop Protocols (RDPs) during 2020, compared to results shared in 2019. An estimated 1.7mn malicious files masquerading as apps were also discovered amid corporate communication.
“The move online was not as flawless as one would imagine, especially given that we already lived in what we thought was a digitised world,” commented Dmitry Galov, a security researcher at Kaspersky. “As the focus switched to remote work, so did the cybercriminals, who directed their efforts to capitalise on a rise in adoption.”