Chinese cyberattackers compromising telcos in Southeast Asia for espionage

Several previously unidentified cyberattack campaigns have infiltrated major telecommunications providers across Southeast Asia, security firm Cybereason says it has discovered.

These attacks are said to be similar to the recent SolarWinds and Kaseya attacks. The US-based Cybereason said the attackers first compromised third-party service providers. But instead of using them to deliver malware through a supply chain attack, in this case “the intent was to leverage them to conduct surveillance of their customers’ confidential communications”.

The report was released on 3 August 2021 and follows the US federal government’s public rebuke of China’s Ministry of State Security for the recent Hafnium attacks on Microsoft Exchange servers.

Multiple clusters of attacks on Southeast Asian telcos

The Cybereason report detailed multiple clusters of attack. These activities have evaded detection since at least 2017 and “are assessed to be the work of several prominent advanced persistent threat (APT) groups aligned with the interests of the Chinese government”, it said.

Since their first successful intrusions, the attackers have been adaptive, persistent, and evasive, Cybereason said. They worked diligently to obscure their activity and maintain persistence on the infected systems. And they responded dynamically to mitigation attempts after having evaded security efforts since at least 2017. Cybereason interprets this as an indication that the targets are of great value to the attackers.

The other feature of these attacks is that they exploited the vulnerabilities of Microsoft Exchange servers to gain access to the targeted networks, similar to the Hafnium attack also attributed to China. Once access was secured, the attackers proceeded to compromise critical network assets such as domain controllers and billing systems which contain highly sensitive information like call-detail-record data, allowing them access to the sensitive communications of anyone using the affected telecoms’ services.

Based on previous findings from a 2019 Cybereason report, the security firm said it believes the telecoms were compromised to facilitate espionage against select targets such as corporations, political figures, government officials, law-enforcement agencies, political activists, and dissident factions of interest to the Chinese government.

“Three distinct clusters of attacks have varying degrees of connection to APT groups Soft Cell, Naikon, and Group-3390 — all known to operate in the interest of the Chinese government,” the report said. “Overlaps in attacker [tactics] across the clusters are evidence of a likely connection between the threat actors, supporting the assessment that each group was tasked with parallel objectives in monitoring the communications of specific high value targets under the direction of a centralized coordinating body aligned with Chinese state interests.”

Cybereason CEO Lior Div said in a statement, “The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organizations that depend on secure communications for conducting business. These state-sponsored espionage operations not only negatively impact the telcos’ customers and business partners, they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region’s stability.”

Even though these attacks compromised telcos primarily in Southeast Asia, the attacks could be replicated against telcos in other regions, cautioned the Cybereason report. The implications could have been far worse if the attackers had decided to change their objectives from espionage to interference. In that case, they could have disrupted communications for any of the affected telecoms’ customers.

The attacks could go beyond Southeast Asia telcos

Although cyberattacks happen throughout the world, the focus is usually on countries where there is conflict with other countries, who use cyberattacks both for espionage and disruption. So why Southeast Asia in this telco attack?

“Security threats, in general, have always come with an intention. It could be malice, intentional damage, a warning, a diversion, a criminal act of demand, and in the modern era, the need to disable your opponent to create for yourselves a competitive advantage,” said Teo Chin Seng, a fellow for Advanced Computing for Executives at the National University of Singapore’s School of Computing. “Most countries in Southeast Asia are friendly, on a high economic growth path. In other words, we are happy to be left alone, doing our things well. This posture creates a vulnerability scenario as we can be used as a proxy of others. The economies of Southeast Asia are in the East-West trade routes, our young population are the economic contributors for the next two decades, and due to the growing affluence of its people a growing financial region. We can become a proxy for an aggressor to cause damage to a third party. So, the issue could be what disruption could stop our system in Southeast Asia, but what would be the damage to others when our systems are compromised.”

Regardless of the intent, the attack’s implications are profound and far-reaching for businesses in Southeast Asia, said Abhishek Pradhan, head of the cloud business at ST Engineering Mission Software & Services. “At the minimum, it shows that traditional information security tools, policies, and processes are severely outdated against these advanced persistent threats,” he said. “On average, the total budget dedicated to information security and cybersecurity in any business is less than 3% of the total CIO’s budget —in some cases even less than 1%, where just the bare minimum protocols are put in place to show conformance to the prevalent industry buzz.”

In most cases, small and medium businesses cannot afford the level of spend like large enterprises or multinational corporations to put in an in-house security operations center (SOC) or dedicated funded cybersecurity programme. Cloud-based SOCs may be more affordable to such smaller companies.

Besides addressing the spending issue, businesses also need to understand that software supply chains are highly vulnerable and so they need to implement continuous audit and monitoring, Pradaham said. The notion of ‘trust but verify’ is not valid any more, he added.