Telecommunications Theft from Chinese Cyberespionage Actor

Category: Threat Actor Activity | Industry: Telecommunications | Level: Tactical | Sources: SentinelLabs and QGroup GmbH

According to a joint report by QGroup GmbH and SentinelLabs, the telecommunication sector in the Middle East has been targeted by threat activities tracked as 'Operation Tainted Love.' The report suggests the activity is conducted by a Chinese cyberespionage group, linked to possibly APT41 and the threat actors responsible for the 'Operation Soft Cell' campaign, Gallium. The threat actor's attribution to the Gallium group is based on their tactics, techniques, and procedures (TTPs) as well as some overlap in the domain infrastructure used. The attacks appear to be motivated by cyberespionage and aimed at telecommunication companies due to the sensitive data they handle.

"The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy webshells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities." One of the notable findings of the investigation was the discovery of a customized credential theft tool, a variant of Mimikatz known as 'mim221'. Techniques observed by the operators include bypassing EDR API hooks and evading detection based on file analysis, selectively clearing Windows event logs records, and establishing a credential theft capability within the LSASS process by exploiting native Windows features.

Anvilogic Scenario:

• Recon Leads to Credential Theft/System Tampering

Anvilogic Use Cases:

• Common Active Directory Commands
• Output to File
• 1 or 2 Character Executable

‍