The McAfee Advanced Threat Research Strategic Intelligence team has identified an espionage campaign that is specifically targeting telecommunication companies in an attack dubbed “Operation Diànxùn.”
Mustang Panda an advanced persistent threat group behind a number of COVID-19-themed attacks on people in Vietnam and Mongolia. The attacks involved COVID-19-related phishing emails loaded with malicious .rar files that, when unzipped, installed a backdoor trojan on the victim’s machine.
RedDelta is also well known by security researchers for its work attacking the Vatican, the former civilian government of Myanmar and two Hong Kong universities last year. According to McAfee, the attacks used “the PlugX backdoor using DLL side loading with legitimate software, such as Word or Acrobat, to compromise targets.”
Now, the group–which is believed to be based in China–is going after the telecom sector, and McAfee researchers wrote that they believe the attack is related to the ban of Chinese technology in the global 5G rollout.
The initial vector for the infection is not entirely clear, we believe with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware which the threat actor leveraged to perform additional discovery and data collection,.
“We believe with a medium level of confidence that the attackers used a phishing website masquerading as the Huawei company career page to target people working in the telecommunications industry. We discovered malware that masqueraded as Flash applications, often connecting to the domain “hxxp://update.careerhuawei.net” that was under control of the threat actor. The malicious domain was crafted to look like the legitimate career site for Huawei, which has the domain: hxxp://career.huawei.com. In December, we also observed a new domain name used in this campaign: hxxp://update.huaweiyuncdn.com.”
“Whilst the focus will be on the threat actor, the recommendation is to focus on the available IoCs and TTPs to not only hunt for the threat but implement controls that prevent such adversaries from being successful.”
While there was initial interest from dozens of governments in allowing Chinese companies like Huawei and ZTE to build out 5G networks, the United States and some European countries have in recent months pressed countries to stop rollout efforts over concerns that the Chinese government would have some level of access or control over the systems, according to Foreign Policy and Reuters.
“The announcement of the ban on Huawei in several countries could have motivated the operation. The operating methods were previously assigned to the Chinese groups RedDelta and Mustang Panda. While we believe that the two actors could be the same, based on similar techniques, tactics and procedures, we currently have no further evidence. Interestingly, the RedDelta group has previously targeted Catholic organizations, while this campaign is primarily focused on telecommunications.”