A significant cybersecurity breach has been uncovered involving a major Asian telecommunications company, which was infiltrated by Chinese state-sponsored hackers for more than four years. This prolonged intrusion, identified by cybersecurity firm Sygnia, highlights the sophisticated and persistent nature of cyber espionage activities targeting critical infrastructure.
Discovery and Attribution
Sygnia’s incident response team has been monitoring this cyber activity under the codename “Weaver Ant.” The attackers demonstrated remarkable stealth and persistence, maintaining undetected access to the telecom provider’s systems. While the specific identity of the telecom company remains undisclosed, the breach underscores the vulnerabilities present in the telecommunications sector.
According to Sygnia, the attackers employed web shells and tunneling techniques to establish and maintain their presence within the network. These methods facilitated extensive cyber espionage, enabling the collection of sensitive information over an extended period.
Attack Methodology
The initial breach was executed through the exploitation of a public-facing application, leading to the deployment of two distinct web shells: an encrypted variant of the well-known China Chopper and a previously undocumented tool named INMemory.
– China Chopper: A lightweight, versatile web shell that has been widely used by various Chinese hacking groups.
– INMemory: This novel web shell is designed to decode a Base64-encoded string and execute it entirely in memory, leaving no trace on disk and thereby evading traditional forensic detection methods.
The INMemory web shell operates by executing C# code contained within a portable executable (PE) file named ‘eval.dll.’ This process ultimately runs the payload delivered via an HTTP request, allowing the attackers to maintain control over the compromised system.
These web shells served as conduits for deploying subsequent payloads, notably a recursive HTTP tunnel tool. This tool facilitated lateral movement across the network over the Server Message Block (SMB) protocol, a tactic previously observed in operations by other threat actors such as Elephant Beetle.
Post-Exploitation Activities
Once inside the network, the attackers engaged in a series of sophisticated post-exploitation activities to maintain their foothold and evade detection:
1. Bypassing Security Mechanisms: They patched Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI) to circumvent security monitoring and detection tools.
2. Executing PowerShell Commands: Utilizing the System.Management.Automation.dll, the attackers executed PowerShell commands without launching the PowerShell.exe process, thereby reducing the likelihood of detection.
3. Active Directory Reconnaissance: They conducted reconnaissance within the compromised Active Directory environment to identify high-privilege accounts and critical servers, facilitating further exploitation and data exfiltration.
Indicators of Chinese State Sponsorship
Several factors point to the involvement of a Chinese state-sponsored group in this cyber espionage campaign:
– Tool Usage: The deployment of the China Chopper web shell, a tool historically associated with Chinese hacking groups.
– Infrastructure Tactics: The use of an Operational Relay Box (ORB) network comprising Zyxel routers to proxy traffic and obscure the attackers’ infrastructure.
– Operational Patterns: The working hours of the hackers align with typical Chinese business hours, suggesting a state-sponsored operation.
– Malware Deployment: The use of an Outlook-based backdoor previously attributed to Emissary Panda, another known Chinese cyber espionage group.
Sygnia noted that throughout the extended period of intrusion, Weaver Ant adapted their tactics, techniques, and procedures (TTPs) to the evolving network environment. They employed innovative methods to regain access and sustain their presence, reflecting a high level of sophistication and adaptability.
Broader Context of Cyber Espionage
This incident is part of a broader pattern of cyber espionage activities attributed to Chinese state-sponsored groups targeting telecommunications and critical infrastructure sectors globally.
– Previous Incidents: In June 2024, Symantec reported that Chinese cyber espionage groups had infiltrated several telecom operators in an unnamed Asian country since at least 2021. The attackers deployed custom backdoors and attempted to steal credentials, indicating a concerted effort to gather intelligence on the telecom sector.
– U.S. Telecommunications Breaches: In December 2024, the White House confirmed that at least eight U.S. telecommunications carriers had been compromised in a Chinese espionage campaign known as Salt Typhoon. This campaign impacted telecom carriers in dozens of countries, highlighting the global scale of such operations.
– Sanctions and Legal Actions: In January 2025, the U.S. Treasury Department imposed sanctions on a Chinese hacker and a cybersecurity firm for their roles in significant cyberattacks, including breaches of American telecommunications firms. These actions underscore the increasing geopolitical tensions surrounding state-sponsored cyber activities.
Implications and Recommendations
The prolonged and undetected nature of the Weaver Ant intrusion underscores the critical need for robust cybersecurity measures within the telecommunications sector. Organizations are advised to:
– Enhance Monitoring: Implement advanced monitoring solutions capable of detecting anomalous activities indicative of sophisticated threats.
– Regular Audits: Conduct regular security audits and penetration testing to identify and remediate vulnerabilities.
– Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a breach.
– Employee Training: Provide ongoing cybersecurity training to employees to recognize and respond to potential threats.
As cyber threats continue to evolve, particularly those emanating from state-sponsored actors, it is imperative for organizations to adopt a proactive and comprehensive approach to cybersecurity to safeguard sensitive information and maintain operational integrity.
