African telecom company targeted by alleged China-backed hacking group

An African telecommunications company is the latest target of an alleged Chinese government-backed hacking group, according to a new report from Symantec.

The cybersecurity software firm’s researchers have been tracking an advanced persistent threat (APT) group they call “Daggerfly.” Malicious activity against the company appears to have begun in November 2022 but “there are indications the activity is likely still ongoing,” they wrote.

“Telecoms companies will always be a key target in intelligence gathering campaigns due to the access they can potentially provide to the communications of end-users,” the researchers explained.

They declined to name the company but said they were able to tie the activity to Chinese hacking groups based on the use of the PlugX malware — a hallmark of Chinese military hacking campaigns.

The specific case highlighted in the report stood out to the researchers because several other malware strains used — including the MgBot modular malware framework — “would have allowed the attackers to collect a significant amount of information from victim machines.”

“The capabilities of these plugins also show that the main goal of the attackers during this campaign was information-gathering. Daggerfly’s development of these previously unseen plugins demonstrates that the attack group is continuing to actively develop its malware and the tools it can use to target victim networks,” they wrote.

“Use of the MgBot modular malware framework and PlugX loader have been associated in the past with China-linked APTs.”

The researchers believe Daggerfly has been active since at least 2014. The latest campaign started with suspicious connections related to AnyDesk — a legitimate remote desktop software that is frequently abused by hackers to take over victim devices.

The WannaMine crypto-mining malware was also found on the victim device, but researchers were unsure of whether this was the work of Daggerfly or another actor who discovered the same vulnerable servers.

The tools used by the hackers allowed them to retrieve usernames and passwords for other parts of the victim system, scan the network and deploy infostealers on Chrome and Firefox browsers that gave them information like bookmarks and browsing history.

The attackers also used keyloggers, message infostealers, password dumpers and clipboard stealers to access a broad range of information from the victim devices.

Symantec noted that this is only one incident in a series of attacks several companies have seen in recent months targeting telecommunications companies across the world.

In February, SentinelOne said it was tracking an espionage campaign targeting Middle East telecommunication companies while Group-IB documented a years-long campaign in which hackers stole potentially as much as $30 million in 30 different attacks on banks, financial services, and telecommunication companies mainly located in Africa between 2018 and 2022.

Chinese hacking groups have also been at the forefront of several campaigns. Sophos said last month that hackers are using USB drives laden with PlugX to target government organizations in Mongolia, Papua New Guinea, Ghana, Zimbabwe, and Nigeria. Another Chinese cyber espionage group was found targeting the governments of several Middle Eastern nations and previously attacked the stock exchange of an African country, using malware to steal troves of data.

Some of the same groups have also targeted telecommunications companies in Africa, the Middle East and Southeast Asia as well.

Symantec corroborated other reports, noting that it also tracked several other telecom firm campaigns since 2022. The malware and techniques used all led to the assessment that Chinese APT groups were behind the campaigns.