Chinese government hackers allegedly spent years undetected in foreign phone networks

Image Credit: Pixabay (Image credit: Image Credit: Geralt / Pixabay)

Security researchers Sygnia discover attack after responding to a separate incident
The attack was attributed to a Chinese state-sponsored threat actor
Weaver Ant group lurked for years, stealing sensitive data and moving laterally

Chinese state-sponsored threat actors allegedly spent four years lurking in the IT infrastructure of a “major” Asian telecommunications provider, according to cybersecurity researchers Sygnia, which discovered the cyber-espionage campaign after responding to a separate incident.

In a technical writeup, Sygnia said while investigating a separate forensic case, multiple security alerts flagged suspicious activity. Furthermore, a previously disabled account was re-enabled, raising even more suspicion.

Digging deeper, the investigators found China Chopper web shells, as well as multiple other malicious payloads used for lateral movement and data exfiltration.

"Incredibly dangerous"

They concluded that the threat actors, named Weaver Ant, were Chinese, since their operational tactics, the use of China Chopper, ORB networks, and other tools, their working hours, and the choice of target (critical telecom infrastructure), all pointed to that conclusion.

Sygnia did not want to disclose who that “major” Asian telecommunications company is, but said that the initial access vectors were vulnerable Zyxel routers.

Furthermore, the company added other Southeast Asian telecom providers as victims, as well, since their compromised Zyxel routers were used in the attack.

Weaver Ant managed to successfully maintain long-term access, exfiltrate sensitive data, while moving laterally across the company’s systems, Sygnia concluded. The goal was espionage - to gather as much intelligence as possible, from critical infrastructure.

Despite multiple attempts to remove them, Weaver Ant managed to persist, it was concluded.

“Nation-state threat actors like Weaver Ant are incredibly dangerous and persistent with the primary goal of infiltrating critical infrastructure and collecting as much information as they can before being discovered,” said Oren Biderman, incident response leader at Sygnia.

“Weaver Ant maintained activity within the compromised network for over four years despite repeated attempts to eliminate them from compromised systems. The threat actor adapted their [tactics] to the evolving network environment, enabling continuous access to compromised systems and the collection of sensitive information.”

Via The Record

US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.