A Chinese language superior persistent risk (APT) actor is concentrating on main telecommunications corporations within the US, Europe, and Southeast Asia in a cyber-espionage marketing campaign that seems designed to steal information pertaining to 5G expertise.
The marketing campaign — dubbed Operation Diànxùn — is probably going motivated by the ban on the usage of Chinese language expertise in 5G rollouts in a number of international locations, McAfee says in a brand new report. In accordance with the safety vendor, the risk actor behind the marketing campaign is utilizing strategies related to Mustang Panda, a gaggle that a number of safety distributors beforehand have recognized as working for the Chinese language authorities.
Knowledge associated to Operation Diànxùn reveals that victims have been lured to a web site purporting to be a profession web page for Huawei — broadly considered the chief within the 5G area. A number of governments, together with the US, have barred the usage of Huawei’s 5G expertise out of fears that it would include backdoors that allow widespread spying. There’s nothing to point that Huawei is in any approach related to the present risk marketing campaign, nonetheless, McAfee says.
In accordance with the safety vendor, it is unclear how the attackers initially lured victims to the phishing website. However as soon as victims bought there, they have been greeted with a webpage that regarded similar to Huawei’s profession website. The attackers used the pretend web site to obtain malware that masqueraded as a Flash utility. The location from which the Flash utility was downloaded additionally was rigorously designed to look just like the official webpage in China for the Flash obtain website. The malware, amongst different issues, downloaded the Cobalt Strike assault equipment on compromised methods.
Thomas Roccia, senior safety researcher with McAfee’s Superior Menace Analysis group, says that out there telemetry means that Mustang Panda is the group behind the continued Operation Diànxùn risk marketing campaign. “The targets are primarily within the telecommunications sector,” he says. “Many of the organizations the place we have now noticed telemetry hits, have been expressing issues relating to the rollout of 5G expertise from China,” suggesting the marketing campaign is tied to the worldwide race to deploy next-gen communications expertise, he says.
Mustang Panda first surfaced again in 2014 and has been related to assaults on organizations perceived as being of curiosity to the Chinese language authorities. In 2017, CrowdStrike reported observing Mustang Panda members concentrating on a US-based suppose tank and a number of other nongovernmental organizations with a nexus to Mongolia and the Mongolian authorities.
Extra just lately, between Could and September 2020, a number of safety distributors (together with McAfee and Recorded Future) noticed a gaggle utilizing strategies just like Mustang Panda concentrating on the Vatican and different Catholic organizations in Hong Kong and Italy. The intrusions occurred forward of a deliberate renewal of a 2018 settlement between China and the Vatican involving the Catholic neighborhood in China and appeared designed to present Beijing advance intelligence on the Holy See’s negotiating place, Recorded Future stated. McAfee says it additionally noticed Mustang Panda risk exercise in September 2020 involving decoy paperwork associated to Catholicism, Tibet-Ladakh relations, and the United Nations Normal Meeting Safety Council.
Single Menace Actor
Different safety distributors, akin to Recorded Future have attributed final 12 months’s assaults on the Vatican and different spiritual entities to a gaggle known as RedDelta. However Roccia says McAfee’s evaluation reveals there’s only one actor behind the continued Operation Diànxùn marketing campaign and those towards the spiritual establishments final 12 months. “McAfee believes with a excessive degree of confidence that the marketing campaign may be attributed to Mustang Panda,” Roccia says. “Whereas earlier analysis talked about RedDelta and Mustang Panda as two separate teams, we consider, primarily based on our analysis, that Mustang Panda and RedDelta are the truth is the identical risk group.”
Many of the earlier assaults that Mustang Panda has carried out have concerned the usage of PlugX, a distant entry Trojan that varied assault teams have used since at the least 2008 to steal recordsdata and modify recordsdata, obtain malware, log keystrokes, and management a pc’s webcam. Nonetheless, with Operation Diànxùn, the risk group has eschewed the usage of that specific methodology, although it’s persevering with to make use of Cobalt Strike because it has in earlier campaigns, in accordance with McAfee.
McAfee advocates that organizations implement a multilayer safety strategy to handle threats akin to these offered by Mustang Panda and different APT teams. Capabilities akin to URL status checks, SSL decryption, and malware emulation are vital for analyzing Flash, .Web, and different lively Net content material that may be simply weaponized. Organizations additionally have to have each signature and behavioral evaluation capabilities to detect threats directed on the enterprise endpoint surroundings. Additionally vital are controls for detecting and blocking communications between compromised host methods and exterior command-and-control servers and for proactively figuring out protection evasion and persistence mechanisms, in accordance with McAfee.
The safety vendor’s weblog has listed the symptoms of compromise and working strategies related to Operation Diànxùn together with recommendation on find out how to shield towards the risk.
Jai Vijayan is a seasoned expertise reporter with over 20 years of expertise in IT commerce journalism. He was most just lately a Senior Editor at Computerworld, the place he lined info safety and information privateness points for the publication. Over the course of his 20-year … View Full Bio