State-Sponsored Cyber Threats Target Southeast Asian Telecoms
Telecommunications companies across Southeast Asia are facing an escalating threat from a state-sponsored group identified as CL-STA-0969. This malicious actor has been actively working to gain remote control over compromised networks, raising serious concerns about cybersecurity in the region.
Recent Cyber Incidents
According to reports from Palo Alto Networks’ Unit 42, a series of cyber incidents involving the telecommunications sector were documented between February and November 2024. These attacks specifically targeted critical telecommunications infrastructure, hinting at a potential risk to national security and communication networks.
Tools and Techniques
The threat actor has utilized a variety of sophisticated tools to establish remote access. One notable tool is Cordscan, which collects location information from mobile devices. However, an important aspect highlighted by Unit 42 is that they found no signs of data exfiltration from the systems they analyzed. Additionally, there were no indications that the attackers attempted to track or communicate with target devices within the mobile networks.
Renzon Cruz, Nicolas Bareil, and Navin Thomas, researchers at Unit 42, emphasized the operational security (OPSEC) maintained by CL-STA-0969. The group’s use of diverse defense evasion techniques significantly reduced the chances of detection.
Connection to Other Threat Actors
Interestingly, CL-STA-0969 has been linked to another group known as Liminal Panda, a cyber-espionage entity believed to have ties to China. This association has been documented in attacks against telecommunications firms in South Asia and Africa since at least 2020, with a focus on intelligence gathering.
The relationship doesn’t end there; certain operational methods previously attributed to LightBasin (also known as UNC1945), a group that has targeted telecom sectors since 2016, exhibit substantial overlap with CL-STA-0969’s activities. LightBasin is known for its focus on financial crimes linked to Automatic Teller Machine (ATM) networks.
Attack Strategies
CL-STA-0969 allegedly employed brute-force methods to bypass SSH authentication for initial access. Once inside, they deployed a range of malicious implants, including:
- AuthDoor: A malicious Pluggable Authentication Module (PAM) designed for credential theft, mimicking functionality seen in tools like SLAPSTICK, which is linked to UNC1945.
- GTPDOOR: Specifically created for deployment in telecom networks.
- EchoBackdoor: Monitors ICMP echo requests, responding to control commands while keeping communication unencrypted.
- ChronosRAT: A versatile tool capable of various operations, from keylogging to remote shell capabilities.
Unit 42’s researchers noted that CL-STA-0969 systematically hides its tracks by clearing logs and deleting unnecessary executables to enhance its OPSEC.
Broader Malicious Toolkit
The group leverages a comprehensive toolkit including Microsocks proxy, Fast Reverse Proxy (FRP), and several programs that exploit vulnerabilities in Linux and UNIX systems. These tactics enable the actors to elevate privileges stealthily.
Their operations utilize several strategies to evade detection, such as DNS tunneling, routing through compromised mobile operators, and disabling Security-Enhanced Linux (SELinux). Moreover, they use misleading process names, aligning them with legitimate applications in the targeted environment to avoid raising alarms.
Expertise in Telecommunications
Palo Alto Networks has underscored the sophisticated understanding that CL-STA-0969 demonstrates regarding telecommunications protocols. This expertise allows them to maintain stealthy, persistent access to compromised networks, facilitating intricate operations via less scrutinized channels.
China Accuses U.S. Intelligence of Cyberattacks
In light of these developments, the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) has accused U.S. intelligence agencies of using a Microsoft Exchange zero-day exploit to compromise over 50 devices linked to a major Chinese military enterprise. The CNCERT report alleges that high-tech military universities and research institutions were also targets of these cyber operations, further muddying the waters of international cyber relations.
This continuing cycle of accusations serves to highlight a broader pattern of espionage activities and cybersecurity threats that governments are grappling with on a global scale. These interactions illustrate the complex landscape of modern cybersecurity, where public and private sectors from various countries are engaged in ongoing digital warfare.
