Telecommunications organizations in Southeast Asia have come under attack from a state-sponsored threat actor identified as CL-STA-0969. This group aims to establish remote control over compromised networks, with activities noted between February and November 2024 targeting critical telecommunications infrastructure.
Palo Alto Networks’ Unit 42 reported observing multiple incidents in the region, utilizing various tools for remote access, including one named Cordscan, which is capable of collecting location data from mobile devices. Notably, the cybersecurity firm found no evidence of data exfiltration or tracking attempts on the compromised networks during their investigations.
Researchers Renzon Cruz, Nicolas Bareil, and Navin Thomas indicated that CL-STA-0969 maintained high operational security (OPSEC) and employed different defense evasion techniques to remain undetected. The group shows significant overlap with a cluster tracked by CrowdStrike, known as Liminal Panda, which has previously been linked to cyber espionage against telecommunications entities in Asia and Africa since at least 2020.
Some tactics associated with Liminal Panda have also been attributed to another actor called LightBasin (or UNC1945), which has been targeting the telecom sector since 2016, suggesting a complex web of actors with similar methodologies.
In their campaigns, CL-STA-0969 reportedly used brute-force attacks against SSH authentication to gain initial access, deploying various malware such as:
- AuthDoor, a malicious Pluggable Authentication Module (PAM) used for credential theft and maintaining persistent access.
- Cordscan, which serves as a network scanning and packet capture utility.
- GTPDOOR, specifically designed to target telecom networks adjacent to GPRS roaming exchanges.
- EchoBackdoor, a passive backdoor that listens for ICMP echo requests to receive commands.
- Emulation software such as sgsnemu to tunnel traffic and bypass firewalls.
- ChronosRAT, a versatile malware supporting various malicious operations including keystroke logging and remote shell access.
- NoDepDNS, a Golang backdoor known for parsing incoming commands via DNS messages.
The threat actor further demonstrated a thorough understanding of telecommunications protocols and infrastructure, skillfully utilizing a mix of public and bespoke toolsets while employing strategies to avoid detection. This includes techniques like DNS tunneling, routing through compromised mobile operators, and concealing process names to blend with the target environment.
In related news, as tensions rise, China has accused U.S. intelligence agencies of exploiting a Microsoft Exchange zero-day vulnerability to steal sensitive military and research data. The accusation coincides with claims of targeting Chinese military enterprises and high-tech universities.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.