Chinese threat actors have managed to break into multiple telecommunications giants across the world in a campaign drive lasting over two years as per reports. The hacker groups behind the episode managed to exploit various vulnerabilities to target critical telecom infrastructure. Through phased attacks, the actors managed to first compromise devices and then use these devices to gain access to network traffic belonging to the telco’s customers.
The hackers specifically targeted networking devices including routers and switches belonging to at least 3 different OEMs. Over two years the devices were repeatedly used to sniff into network traffic and even train other hacker groups on conducting reconnaissance attacks as well as stealth tactics to be deployed to keep the breach hidden for the longest period of time. This is probably the first time we have come across a breach that was used to train future hackers by Chinese APT groups.
The fact that hackers used publicly known and published vulnerabilities including flaws that go back to the first half of the last decade is indeed worrying. Some of these vulnerabilities enabled hackers to evade authentication and take over complete control of a device and gain unhindered access to networks including allowing the execution of various codes at the discretion of the hacker.
So why were the Chinese hackers successful?
Beyond skills, these hackers had some help from infrastructure management practices that have been going on for decades.
Addressing vulnerabilities and flaws should ideally be an ongoing endeavor conducted with diligence and discipline. However, this does not happen as flaws are allowed to persist (sometimes willingly) years after they are revealed and their existence is common knowledge. Without addressing the known flaws, it becomes even more difficult to deal with Zero Day attacks as the security teams are simply not equipped in some cases to even look for them. With limited people, resources, budgets, and skills, flaws remain and continue to pose a threat to infrastructure till regulators step in and force businesses to act.
In this case, the hackers used open-source scanning tools such as RouterSploit and RouterScan to study and surveil target networks. They were able to gather data on the models, versions and patch status, and vulnerabilities of networking gear. Using this knowledge the hackers exploited the unpatched vulnerabilities to access connected networks and moved on to authentication servers where they were able to steal user and access credentials while reconfiguring equipment and exfiltrating data by copying it to their machines.
Compliance Kit: IoT and OT cybersecurity self-assessment tool using NIST CSF
This window of opportunity was fully leveraged by the hackers, and they kept returning to the victim’s network multiple times while keeping an eye out for any attempts to discover them. They also covered their tracks by removing digital traces of their activities including logs. In addition to spying, the victim’s networks were used to train hackers on breach and post-breach practices by the hacking team involved in this episode.
While telecom firms are high on the list of targets for state-sponsored hackers, other businesses could also be targeted by APT groups for various reasons. Many APT actors are now trying to monetize their activities and have diversified the businesses they are now targeting across the globe.
So how can businesses secure themselves?
- Published vulnerabilities must be tracked to closure in a disciplined manner with clear SLAs
- Build capability and tool-set to detect Zero Days through anomalies and other means
- In addition to multi-factor authentication, ensure that all user credentials and privileges are modified regularly. This step alone could save a lot of bother later
- Improve threat hunting by getting access to the right cyber threat intelligence feeds (Get the comprehensive guide in selecting the right cyber threat intelligence feeds)
- Build a culture of cybersecurity across functions
- Conduct audits in a scheduled manner
- Tabletop exercises should be conducted frequently to test the readiness and quality of first response (Get Sectrio’s FREE Table Top Exercise Manual)
- Incentivize the detection and reporting of threats
Try our threat intelligence feeds for free for 15 days to see what your threat hunting program is missing here: Sign up for FREE threat intelligence feeds
Sectrio is securing some of the most complex IoT and OT deployments across geographies today. Our security analysts can evaluate your infrastructure to assess your risk exposure, and potential sources for cyberattacks and identify surfaces that could be targeted by hackers through specific and diversified breach tactics.
Learn more about our threat assessment methodology here: OT and IoT Threat Assessment
Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo
Try our threat intelligence feeds for free for the next two weeks.