Hacking groups with ties to China have been identified by US-based cyber security solutions vendor Cybereason as being behind a series of cyber activity in the ASEAN region.
The findings come after the Cybereason Nocturnus and Incident Response teams proactively hunted for various threat actors trying to leverage similar techniques to those used in the Hafnium attacks targeting Microsoft Exchange vulnerabilities earlier this year.
In the beginning of 2021, the Cybereason Nocturnus Team investigated clusters of intrusions detected targeting the telecommunications industry across Southeast Asia.
During the investigation, the company claims, three clusters of activity were identified and showed significant connections to known threat actors, all suspected to be operating on behalf of Chinese state interests.
Based on Cybereason’s analysis, the company reckons that the goal of the attackers behind the intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers and key network components.
The activity observed by the security researchers was collated into three clusters. ‘Cluster A’ was assessed to be operated by Soft Cell, an activity group in operation since 2012, previously attacking telcos in multiple regions including Southeast Asia, which was first discovered by Cybereason in 2019.
“We assess with a high level of confidence that the Soft Cell activity group is operating in the interest of China. The activity around this cluster started in 2018 and continued through Q1 2021,” the company said.
Meanwhile, ‘Cluster B’ was assessed to be operated by the Naikon advanced persistent threat (APT) actor, a highly active cyber espionage group in operation since 2010 which mainly targets ASEAN countries, according to the researchers.
“The Naikon APT group was previously attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). The activity around this cluster was first observed in Q4 2020 and continued through Q1 2021,” Cybereason said.
At the same time, ‘Cluster C’ was deemed to be a so-called “mini-cluster,” characterised by a unique Outlook Web Access (OWA) backdoor that was deployed across multiple Microsoft Exchange and Internet Information Services (IIS) servers.
“Analysis of the backdoor shows significant code similarities with a previously documented backdoor observed being used in the operation dubbed Iron Tiger, which was attributed to a Chinese threat actor tracked by various researchers as Group-3390 (APT27 / Emissary Panda). The activity around this cluster was observed between 2017 and Q1 2021,” Cybereason noted.
The Cybereason Nocturnus Team also observed an overlap among the three clusters. In some instances, the company said, all three clusters of activity were observed in the same target environment, around the same timeframe, and even on the same endpoints.
However, Cybereason stressed that, at this point, there was not enough information to determine with certainty the nature of the observed overlap – specifically, whether the clusters represent the work of three different threat actors working independently, or whether the clusters represent the work of three different teams operating on behalf of a single threat actor.
“Overlaps in attacker TTPs [tactics, techniques and procedures] across the clusters are evidence of a likely connection between the threat actors, supporting the assessment that each group was tasked with parallel objectives in monitoring the communications of specific high value targets under the direction of a centralised coordinating body aligned with Chinese state interests,” Cybereason said.
On March 2, 2021 Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server.
Over the next few days, over 30,000 organisations in the US alone were attacked as hackers used several Exchange vulnerabilities to gain access to email accounts and install web shell malware, giving the cyber criminals ongoing administrative access to the victims' servers.
On the same day, Microsoft announced it suspected the attacks were carried out by a previously unidentified Chinese hacking group they dubbed Hafnium.
According to the Microsoft Threat Intelligence Center (MSTIC), Hafnium is suspected to be state-sponsored and operating out of China, primarily targeting organisations in the United States across multiple industry segments and operating primarily via leased virtual private servers (VPSs) in the US.