Heimdal
article featured image

Contents:

New cyber attacks against Middle Eastern telecommunications operators emerged in the first quarter of 2023. Based on technical overlaps, the intrusion set was identified as being the work of a Chinese cyber espionage actor associated with a long-running campaign dubbed Operation Soft Cell.

The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy web shells used for command execution. (…) Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.

Source

A Development of the Malware Arsenal

According to Cybereason, Operation Soft Cell refers to malicious activities carried out by China-affiliated entities targeting telecom carriers from at least 2012.

Soft Cell, also dubbed Gallium by Microsoft, is notorious for exploiting unpatched internet-facing services and using tools like Mimikatz to collect credentials that allow lateral movement across the targeted networks.

As part of its espionage campaigns targeting businesses in Southeast Asia, Europe, Africa, and the Middle East, the hostile group has also employed a “difficult-to-detect” backdoor known as PingPull.

Mim221, a modified version of Mimikatz with enhanced anti-detection capabilities, is at the center of the present campaign.

The use of special-purpose modules that implement a range of advanced techniques shows the threat actors’ dedication to advancing its toolset towards maximum stealth and highlights the continuous maintenance and further development of the Chinese espionage malware arsenal.

Source

Finally, the attacks failed because they were uncovered and stopped before any implants could be installed in the targeted networks.

Gallium has been compared to other Chinese nation-state groups in terms of tactics, and these include APT10 (also known as Bronze Riverside, Potassium, or Stone Panda), APT27 (also known as Bronze Union, Emissary Panda, or Lucky Mouse), and APT41 (aka Barium, Bronze Atlas, or Wicked Panda), explains The Hacker News.

This again suggests the existence of a “digital quartermaster” responsible for maintaining and disseminating the toolkit across Chinese state-sponsored threat actors.

These results coincide with reports that other hacker groups, such as BackdoorDiplomacy and WIP26, have targeted Middle Eastern telecommunications companies.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Madalina Popovici

Digital PR Specialist

linkedin icon

Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE