News By Wire

Operation Tainted Love – Chinese APTs target telcos in new attacks

In collaboration with QGroup GmbH, SentinelLabs recently observed initial threat activities targeting the telecommunication sector. It is highly likely that these attacks were conducted by a Chinese cyber espionage actor related to the Operation Soft Cell campaign.

The initial attack phase involves infiltrating internet-facing Microsoft Exchange servers to deploy webshells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.

The deployment of custom credential theft malware is central to this new campaign. The malware implemented a series of Mimikatz modifications on closed-source tooling. SentinelLabs’ research details the multi-component architecture and functionality of a sample – referred to as mim221 – a recent version of an actively maintained credential theft capability upgraded with new anti-detection features.

The use of special-purpose modules that implement a range of advanced techniques shows the threat actors’ dedication to advancing its toolset towards maximum stealth.

Key points

  • SentinelLabs observed initial phases of attacks against telecommunication providers in the Middle East in Q1 of 2023.
    This activity represents an evolution of tooling associated with Operation Soft Cell.
  • While it is highly likely that the threat actor is a Chinese cyber espionage group in the nexus of Gallium and APT41, the exact grouping remains unclear.
  • SentinelLabs observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly motivated threat actor with specific tasking requirements.

Conclusion

Chinese cyber espionage threat actors are known to have a strategic interest in the Middle East. This is evident from their consistent targeted attacks on various entities, including government, finance, entertainment, and telecommunication organisations. The recent activities targeting the telecommunication sector this report discusses, are some of the latest of such attacks.

SentinelLabs’ analysis of mim221 highlights the continuous maintenance and further development of the Chinese espionage malware arsenal. These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code.SentinelLabs continues to monitor espionage activities and it is hoped that defenders will leverage these findings to bolster their defences.

Press release information

Date:

Image File:

 
SentinelLabs_Operation Tainted Love

Area / Region:

Topics / Tags:

Media contact

Media contact name:

Irina Meier

Media contact business / organisation:

Eleven Hundred Agency

Media contact telephone:

Media contact email:

All done!
Thank you for subscribing.

Email Subscription