Security researchers have identified a new cyberespionage campaign targeting telecommunications companies in the Middle East that may be the work of a threat actor related to the Gallium group, a Chinese attack team that has consistently compromised telecom providers across the globe for several years.
The attacks took place in the first quarter of this year, and researchers at SentinelOne’s SentinelLabs, along with German security company QGroup, discovered the threat actors compromising Microsoft Exchange servers at telecom companies and planting webshells on them for later use. The attackers then used custom malware for credential theft, performed lateral movement across the compromised networks, and stole data. The researchers did not draw a conclusive link to the Gallium group, but said that it is highly likely the attacks are the work of a team that is associated with Gallium and APT41, a known Chinese cyberespionage actor, based on the use of common tools and tactics.
Gallium is best-known for Operation Soft Cell, a campaign identified in 2019 that targeted telecom providers in a number of different regions and was designed to steal information about specific individuals. The SentinelLabs researchers said the attackers behind the newly discovered campaign are using many of the same tools and tactics as the Soft Cell actors.
“We assess it is highly likely the initial attack phases we observed were conducted by Chinese threat actors with cyberespionage motivations. Telecommunication providers are frequent targets of espionage activity due to the sensitive data they hold. Our analysis identified indicators that point to the operation Soft Cell actors,” the SentinelLabs report on the campaign says.
“The initial intrusion vector and the majority of the TTPs we observed closely match those conducted by, or associated with, the Soft Cell actors. This includes deploying webshells at Microsoft Exchange servers for establishing an initial foothold, following same file naming conventions, using the LG tool and the net, query, and tasklist Windows built-in tools for gathering user and process information, and the PsExec Windows Sysinternals tool and net for lateral movement and exploration, respectively.”
“It is worth noting that the attackers’ activities at one of the targets suggested previous knowledge of the environment."
Telecom providers make attractive targets for high-line attackers, especially those interested in gathering information on specific companies, creating access routes for further attacks, or potentially staging disruptive operations. Providers gather and store vast amounts of sensitive and interesting information about client companies and individuals and often provide connections to other networks. State-sponsored cyberespionage groups have been known to target telecom providers in many countries over the years, and the Soft Cell actors are among the more active in that arena.
Among the tools that the attackers in the newly identified campaign employed is a modified version of Mimikatz that the researchers call mim221 and is used for credential theft. The tool has four discrete components: a binary and three DLLs. Interestingly, once the attackers gathered the credentials that they wanted, they stopped their activities on the compromised networks.
“This could indicate a multi-phase attack strategy, where the deployment of backdoors and further persistence mechanisms is carried out separately after credential theft has ensured continued access. The intrusions were detected and interrupted before the attackers could carry out further phases, such as deploying backdoors,” the researchers said.
“It is worth noting that the attackers’ activities at one of the targets suggested previous knowledge of the environment. We had observed activity at the same target a few months prior, which we attributed to Gallium primarily based on the use of the group’s PingPull backdoor and TTPs.”
Chinese state-sponsored cyberespionage teams are among the more capable, active, and well-resourced groups on the scene, and their targeting is not accidental or haphazard. Other Chinese groups have targeted MIddle Eastern organizations in the past, as well.
“Our analysis of mim221 highlights the continuous maintenance and further development of the Chinese espionage malware arsenal. These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code,” the SentineLabs researchers said.