A Chinese cyber-espionage group has shifted operations from targeting Vatican officials and Catholic organizations to telecom providers across Asia, Europe, and the US.

The group, known in the cybersecurity community as Mustang Panda or RedDelta, has been targeting employees of telecom companies since last fall, as a gateway inside organizations, with the end goal of stealing 5G-related information.

Chinese group targeted telco employees with job offers

According to a technical report published today by security firm McAfee and titled “Operation Diànxùn” [PDF], the Mustang Panda group primarily relied on luring telco employees to a malicious site masquerading as Huawei’s careers page.

The phishing site would ask users to install a Flash software update hosted on a malicious site, and this file would later download and install a .NET backdoor, which would communicate with the attacker’s remote infrastructure via a Cobalt Strike beacon.

RedDelta-attack-chain
Image: McAfee

McAfee said the point of these attacks was to gain a foothold on a telcos’ internal networks.

“We believe that this espionage campaign is aimed at stealing sensitive or secret information in relation to 5G technology,” the company said today.

Attacks were observed against telcos in Southeast Asia, Europe, and the US; however, McAfee said it observed the group also showing “strong interest in German, Vietnamese, and India telecommunication companies.”

RedDelta-attack-map
Image: McAfee

Attacks believed to be related to Huawei’s 5G bans

“We believe with a moderate level of confidence that the motivation behind this specific campaign has to do with the ban of Chinese technology in the global 5G roll-out,” McAfee said today.

Some of the countries targeted by the Mustang Panda group had already made public statements that they intended to ban or limit Huawei’s involvement in their national 5G network build-ups, such as the US, Spain, and Italy.

However, attacks were also seen in countries where Huawei had already signed 5G roll-out contracts.

With Huawei being China’s primary supplier of 5G equipment, it is believed that the Chinese group might have been looking for insight into how competitors were fairing in markets where Chinese technology had been shunned or for insight into how local telcos were responding to Huawei’s current involvement.


administrator

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Freelance writer