Symantec’s recent report details a long-running espionage campaign targeting telecommunications companies in an unspecified Asian country. The campaign, active since at least 2021, has also impacted a company providing services to telcos and a university abroad. The attackers, utilizing custom backdoors like Coolclient, Quickheal, and Rainyday, are linked to Chinese state-sponsored threat groups such as Mustang Panda, RedFoxtrot, and Naikon. These tools enable a range of malicious activities including keylogging, file manipulation, remote shell execution, and reconnaissance.
Coolclient, associated with Mustang Panda, supports extensive capabilities including keylogging and communication with command-and-control servers. Quickheal, linked to RedFoxtrot, facilitates information harvesting and file manipulation based on remote commands. Rainyday, attributed to Naikon, enables reconnaissance, lateral movement, credential theft, and data exfiltration. Alongside these custom backdoors, the attackers deployed additional tools such as keyloggers, port scanners, and registry hives extractors to enhance their capabilities and maintain persistence within compromised networks.
Symantec notes that while the exact relationship between the threat actors remains unclear, the use of tools exclusive to Chinese espionage groups suggests either collaboration or independent operations. The motive behind the campaign includes gathering intelligence on the telecom sector, potential eavesdropping activities, or developing capabilities to disrupt critical infrastructure. This revelation underscores the ongoing threat posed by state-sponsored cyber espionage in the region, emphasizing the need for enhanced cybersecurity measures to protect sensitive sectors from sophisticated attacks.
Reference:
