Exposing Chinese hackers: how they’re hacking telecom companies and listening to your calls

A group of researchers discovered three different groups of threat actors linked to the Chinese government using previously seen Microsoft Exchange exploits to deploy powerful cyberattacks. These groups were identified as Emissary Panda (also known as APT27), Soft Cell and Naikon. As if that were not enough, Kaspersky researchers confirmed the detection of a fourth Chinese hacking group known as GhostEmperor using a rootkit for the compromise of Windows systems.

The report was prepared by security firm Cybereason, and states that these groups work closely with some Chinese militia cells. Researcher Yonatan Striem-Amit mentions that these attacks seem to be the starting point for the deployment of ambitious espionage campaigns by compromising personal devices.

The three groups have been tracked by the cybersecurity community for a couple of years now, when one of these groups was caught attacking a South Asian telecommunications company. It is worth mentioning that only two of these groups have been officially confirmed, since while experts attribute the malicious activity to Emissary Panda, other groups also use the OWA backdoor, used for the compromise of IIS and Exchange servers.

About Soft Cell, the research points out that this group is able to gain access by exploiting known vulnerabilities in Exchange for the installation of the China Chopper webshell. The hackers then employ the PcShell and Cobalt Strike backdoor for lateral movement, which eventually allows the theft of user credentials.On the other hand, experts described Naikon’s activity, mentioning that hackers use the Nebulae backdoor to access compromised systems, in addition to using PAExec and WMI for lateral movement and Modified MimiKatz to record keystrokes and intercept sensitive information.

Finally, the third group employs Exchange Server for initial access, deploying the custom .NET backdoor on more than 20 servers over the past 3 years. All of these attacks proved to be functional and were deployed in a very short period of time, showing the advanced capabilities of this hacking group.

For the researchers, it was somewhat unusual that three different hacking groups are deploying a campaign in an almost coordinated way, even compromising the same targets simultaneously. That is why it is difficult to conclude whether these groups are acting jointly or independently, although it is a fact that the three groups identified in this campaign are working closely with the Chinese military.

“These attacks are worrisome as they compromise the security of critical infrastructure and its suppliers. Espionage operations sponsored by state actors not only have a negative impact on trading partners, but also have the potential to threaten national security in affected territories,” the report concludes.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.