Five Southeast Asian telcos hacked by three different Chinese espionage groups
Image: Kseniia Ilinykh, The Record
Catalin Cimpanu August 3, 2021

Five Southeast Asian telcos hacked by three different Chinese espionage groups

Five Southeast Asian telcos hacked by three different Chinese espionage groups

At least five major telecommunication providers from Southeast Asia have been hacked over the past years by different Chinese cyber-espionage groups.

“These are global telcos with tens of millions of customers,” Assaf Dahan, Senior Director and Head of Threat Research at security firm Cybereason, told The Record this week.

“Based on our analysis, we assess that the goal of the attackers behind these intrusions was to gain and maintain continuous access to 

telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, 

Web Servers and Microsoft Exchange servers,” Dahan added.

In a report published earlier today, Cybereason linked the intrusions to three clusters of activity corresponding to three different Chinese threat actors:

Cybereason-3-clusters
Image: Cybereason

The three groups used different techniques to breach the same telcos, and some remained active in the victims’ networks for years, with some of the earliest intrusions dating back to 2017.

However, Cybereason also said that despite all three groups having a degree of connection to Chinese espionage efforts, the three did not appear to collaborate.

“We haven’t observed a direct interaction between the clusters,” Dahan told The Record.

“It’s the million-dollar question. It can be very tempting to say that they are all connected and treat it as one big attack. However, based on our telemetry, we did not observe a ‘smoking gun’ type of direct connection among the three clusters,” the Cybereason exec told us.

“It doesn’t mean that they’re not connected. The truth is that we simply don’t know. One of the reasons why we chose to share our findings with the community is the hope that, over time, perhaps new information will shed light on this interesting overlap.”

In addition, sharing this research and attached indicators of compromise will also help unearth additional victims.

While Dahan said Cybereason linked the three groups to intrusions at five Southeast Asian telcos, the same three groups were also known to carry out operations in other geographical areas.0

“There are likely other telcos compromised,” Dasan said.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.