Telecom providers in the Middle East have been targeted by new cyberattacks that began in the first quarter of 2023.
The intrusion set is attributed to Chinese cyber espionage actors. Operation Soft Sell Based on Touring Overlap.
In a new technical report shared with The Hacker News, researchers from SentinelOne and QGroup wrote, “The first stage of the attack involved compromising an Internet-facing Microsoft Exchange server and creating a web shell used to execute commands. should be deployed.
“Once a foothold is established, attackers perform a variety of activities such as reconnaissance, credential theft, lateral movement, and data exfiltration.”
According to Cybereason, Operation Soft Cell refers to malicious activity by China-linked actors targeting telecom providers since at least 2012.
The Soft Cell threat actor, also tracked by Microsoft as Gallium, targets unpatched internet-facing services and uses tools like Mimikatz to enable lateral movement across targeted networks. Known for capturing credentials.
The adversary also uses a “hard-to-detect” backdoor, codenamed PingPull, in espionage attacks against companies operating in Southeast Asia, Europe, Africa, and the Middle East.
At the heart of the latest campaign is the deployment of a custom variant of Mimikatz called mim221 with new anti-detection capabilities.
“The use of purpose-built modules that implement a variety of advanced techniques shows that threat actors are committed to advancing their toolset towards maximum stealth,” the researchers said. We emphasize the continued maintenance and further development of our spy-malware arsenal,” he added. .”
Previous research on gallium suggests tactical similarities [PDF] Collaborating with multiple Chinese national groups such as APT10 (aka Bronze Riverside, Potassium, or Stone Panda), APT27 (aka Bronze Union, Emissary Panda, or Lucky Mouse), and APT41 (aka Valium, Bronze Atlas, or Wicked Panda) doing.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
This again signals closed-source tool sharing among Chinese government-backed threat actors, not to mention the possibility of a “digital quartermaster” responsible for maintaining and distributing the toolset.
The findings come as it emerged that various other hacking groups such as BackdoorDiplomacy and WIP26 have set their sights on telecom service providers in the Middle East.
“Chinese cyber espionage threat actors are known to have a strategic interest in the Middle East,” the researchers concluded.
“These threat actors will almost certainly continue to investigate and upgrade their tools, using new techniques to evade detection, such as integrating and modifying publicly available code.”
