Security researchers have discovered a new cyber-espionage campaign targeting global telecoms operators for IP and information relating to 5G.
Named Operation Diànxùn by McAfee, the campaign is likely to be the work of Chinese threat actors RedDelta and Mustang Panda.
“While the initial vector for the infection is not entirely clear, the McAfee ATR team believes with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware which the threat actor leveraged to perform additional discovery and data collection,” explained McAfee regional solutions architect, Andrea Rossini.
“It is our belief that the attackers used a phishing website masquerading as the Huawei company career page.”
After visiting the fake Huawei phishing page, a victim would unwittingly download malware masquerading as Adobe Flash, which acts as a dropper for a .NET payload. This in turn acts as a tool “to manage and download backdoors to the machine and configure persistence,” Rossini explained.
The final stage of the attack involves creating a backdoor for full remote control of the victim’s system, using Cobalt Strike Beacon and a command-and-control (C&C) server.
The threat actors are thought to have been targeting mobile operators since last summer, in APAC, North America and Europe.
“To defeat targeted threat campaigns like Operation Dianxun, defenders must build an adaptive and integrated security architecture which will make it harder for threat actors to succeed and increase resilience in the business,” concluded Rossini.
In July last year, RedDelta attackers were detected inside the Vatican’s IT network in the run-up to a meeting between the Catholic Church and Beijing focusing on the religion’s status in China.