Chinese hackers spent four years inside Asian telco’s networks

An Asian telecommunications company was allegedly breached by Chinese government hackers who spent four years inside its systems, the incident response firm Sygnia said Monday.

The company said the hackers, who they call “Weaver Ant,” compromised home routers made by Zyxel to gain entry into the “major” telco’s environment. 

Sygnia attributed the campaign to Chinese actors because of the company targeted, the “well-defined” goals of the campaign, the working hours of the hackers and the use of the China Chopper web shell — a tool many Chinese groups use to gain remote access to compromised servers and exfiltrate data. The researchers did not identify the breached company or where it is based. 

In addition to China Chopper, the hackers used an array of other tools and backdoors, including other web shells, allowing them to stay hidden in the company’s network and move laterally to gain access to different systems. 

“Nation-state threat actors like Weaver Ant are incredibly dangerous and persistent with the primary goal of infiltrating critical infrastructure and collecting as much information as they can before being discovered,” said Oren Biderman, incident response leader at Sygnia. 

“Weaver Ant maintained activity within the compromised network for over four years despite repeated attempts to eliminate them from compromised systems. The threat actor adapted their [tactics] to the evolving network environment, enabling continuous access to compromised systems and the collection of sensitive information.”

The hackers also used tools called “ORB networks” — or operational relay box networks. Experts have long warned of Chinese threat groups using ORB networks, which are akin to botnets and are made up of virtual private servers (VPS), compromised Internet of Things and smart devices, as well as routers that are often end-of-life or unsupported by their manufacturers. 

Sygnia said Weaver Ant used an ORB network mostly made up of compromised Zyxel routers operated by Southeast Asian telecom providers to conceal the infrastructure they were using in the attacks. 

“By using the ORB network, the threat actor leveraged a compromised device from one telecom to pivot and target a device in another telecom,” they wrote.

The goal of the campaign, Sygnia said, was long-term access to the company that would enable wider espionage efforts and the ability to collect sensitive information. 

Initial discovery

Sygnia incident responders initially discovered the campaign when they were in the final stages of a separate forensic investigation.

They received multiple alerts triggered by suspicious activity and discovered that an account that had been disabled as part of remediation efforts had been restored. Investigators found a variant of the China Chopper web shell that had been deployed on a server that “had been compromised for several years.”

Sygnia realized that their remediation of a separate incident likely disrupted the operations of Weaver Ant. They quickly found a multitude of web shells that enabled the hackers to gain persistent access and move laterally throughout the company’s network. Further investigation uncovered dozens of servers that were compromised with web shells including ones not previously identified.

“Multiple layers of web shells concealed malicious payloads, allowing the threat actor to move laterally within the network and remain evasive until the final payload,” Biderman said. “These payloads and their ability to leverage never-seen-before web shells to evade detection speaks to Weaver Ant’s sophistication and stealthiness.”

Last year, Sygnia uncovered another operation targeting a popular line of Cisco devices carried out by hackers within the threat group Velvet Ant.