Three newly discovered clusters of hacking activity are mimicking the same techniques and exploits used by a suspected Chinese threat group in the Microsoft Exchange attacks to target telecommunications companies across Asia, according to new research unveiled this week by Cybereason.
A report identifies three distinct clusters of activity that resemble the technique’s employed by Hafnium. Like Hafnium, all three are believed or suspected to have ties to the Chinese government.
Cluster A began in 2018 and persisted through the first quarter of 2021. This activity was attributed “with a high level of confidence” by Cybereason to be part of Soft Cell, a threat group with a history of targeting telecommunications companies in Southeast Asia. This targeting, as well as Soft Cell’s “Low and Slow,” continued during a four-stage campaign, with the group’s operatives switching up infrastructure, tools and TTPs in between each stage. The timing of the activity shows that the group was exploiting the Microsoft Exchange vulnerabilities well before they were publicly known.
Cluster B began in Q4 last year through the first quarter of this year and is attributed with moderate confidence to both the Naikon APT group and a military unit within the Chinese People Liberation’s Army. The operatives used different command and control infrastructure, but the timing, targets, endpoints and objectives all appear similar to that of Cluster A. Naikon deploys its Nebulae backdoor within trusted applications using DLL side loading attacks to conduct reconnaissance, manipulate files, execute arbitrary commands, elevate privileges, encrypt communications and facilitate connection with command and control servers.
The third cluster started in 2017 through this year and involved a unique backdoor deployed on Microsoft and IIS servers that shares “significant code similarities” with another backdoor used in the past by APT27, or Emissary Panda. Between 2017 and 2020, there was only evidence of its use a handful of times, but Cybereason researchers watched it quickly deployed against 20 machines in March 2021, something they suspect is related to a need to reestablish access and persistence in response to defender mitigations put in place in the months following initial disclosure.
Here, Cybereason will only say they have “low-to-moderate confidence” that this cluster is associated with Emissary Panda, and leave open the possibility that it could also be another subset of the group behind Cluster A.
Regardless, the objective in all cases appears clear: digital espionage. Many of the telecommunications companies targeted operate in Asian countries with long term geopolitical disputes with the Chinese government. The attacks appear surgically targeted towards sweeping up the kind of communications that are routinely coveted by state intelligence agencies.
“Based on our analysis, we assess that the goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers,” the authors wrote.
The focus by the attackers on obtaining Call Detail Records data may also point to espionage as a motivation. Call Detail Record metadata was a central component for Section 702, the NSA’s clandestine surveillance program that swept up identifying call information for Americans and foreigners alike and can provide a startling amount of information about the average caller.
Each cluster has its own unique characteristics, but all three also share numerous and sometimes unique commonalities.
Clusters A (Soft Cell) and C (APT27) both exploited Microsoft Exchange servers for initial access, but in different ways: A used China Chopper WebShell, while C used the aforementioned custom backdoor. It’s not clear how the group behind Cluster B gained a foothold into victim networks.
The overlap doesn’t stop there. In some cases, all three clusters were seen attacking the same targets, at the same time and on the same endpoint devices. The Nebulae backdoor called out to a domain previously associated with Winnti Group, another entity with a background in Chinese state-sponsored cyber espionage. Similar connections abound: a PcShare payload used by Soft Cell used the exact same DLL search order hijacking — and even used the same bogus NVIDIA product — as described in a 2019 report from BlackBerry that they suspected was tied to Tropic Trooper, another hacking group tied to Beijing.
“At this point, there is not enough information to determine with certainty the nature of this overlap — namely, whether these clusters represent the work of three different threat actors working independently, or whether these clusters represent the work of three different teams operating on behalf of a single threat actor,” the authors write.