Contents:
New cyber attacks against Middle Eastern telecommunications operators emerged in the first quarter of 2023. Based on technical overlaps, the intrusion set was identified as being the work of a Chinese cyber espionage actor associated with a long-running campaign dubbed Operation Soft Cell.
The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy web shells used for command execution. (…) Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.
A Development of the Malware Arsenal
According to Cybereason, Operation Soft Cell refers to malicious activities carried out by China-affiliated entities targeting telecom carriers from at least 2012.
Soft Cell, also dubbed Gallium by Microsoft, is notorious for exploiting unpatched internet-facing services and using tools like Mimikatz to collect credentials that allow lateral movement across the targeted networks.
As part of its espionage campaigns targeting businesses in Southeast Asia, Europe, Africa, and the Middle East, the hostile group has also employed a “difficult-to-detect” backdoor known as PingPull.
Mim221, a modified version of Mimikatz with enhanced anti-detection capabilities, is at the center of the present campaign.
The use of special-purpose modules that implement a range of advanced techniques shows the threat actors’ dedication to advancing its toolset towards maximum stealth and highlights the continuous maintenance and further development of the Chinese espionage malware arsenal.
Finally, the attacks failed because they were uncovered and stopped before any implants could be installed in the targeted networks.
Gallium has been compared to other Chinese nation-state groups in terms of tactics, and these include APT10 (also known as Bronze Riverside, Potassium, or Stone Panda), APT27 (also known as Bronze Union, Emissary Panda, or Lucky Mouse), and APT41 (aka Barium, Bronze Atlas, or Wicked Panda), explains The Hacker News.
This again suggests the existence of a “digital quartermaster” responsible for maintaining and disseminating the toolkit across Chinese state-sponsored threat actors.
These results coincide with reports that other hacker groups, such as BackdoorDiplomacy and WIP26, have targeted Middle Eastern telecommunications companies.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.