Chinese Hackers Compromised Telecom Companies, Researchers Say

A Cybereason report says the groups in some cases exploited vulnerabilities in Microsoft Exchange servers to gain access to telcos’ internal systems.


August 3, 2021

3 Min Read
Cell tower with 5G network equipment in Beijing (2020)
Cell tower with 5G network equipment in Beijing (2020)NICOLAS ASFOURI/AFP via Getty Images

Ryan Gallagher (Bloomberg) -- Chinese state-backed hacking groups compromised at least five global telecommunications companies and stole phone records and location data, according to cybersecurity researchers.

The hacking groups waged a campaign across Southeast Asia from 2017 to 2021, in some cases exploiting security vulnerabilities in Microsoft Corp.’s Exchange servers to gain access to telecommunication companies’ internal systems, according to a new report published Tuesday by U.S.-based security firm Cybereason Inc.

Lior Div, the chief executive officer of Cybereason, said the hackers had obtained “the holy grail of espionage,” by gaining total control of the telecommunication networks they penetrated. Cybereason named the groups Soft Cell, Naikon and Group-3390.

“These state-sponsored espionage operations not only negatively impact the telcos’ customers and business partners, they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region’s stability,” Div said.

China’s Foreign Ministry didn’t respond to requests for comment. A government spokesperson previously denied allegations that Chinese hackers infiltrated Microsoft Exchange servers.

“The U.S. ganged up with its allies and launched an unwarranted accusation against China on cybersecurity,” Zhao Lijian said at a press briefing on July 20 in Beijing. “It is purely a smear and suppression out of political motives. China will never accept this.”

A Microsoft spokesperson said the company hadn’t yet seen the report and therefore declined to comment.

Div declined to name specific companies or countries where the hackers carried out their intrusions, though the report said they targeted telecommunications providers in some Southeast Asian nations that had long-standing disputes with China. It also pointed to older research from the cybersecurity firm Check Point Software Technologies Ltd. that found one of the hacking groups had previously targeted government foreign affairs, science and technology ministries, as well as government-owned companies in countries including Indonesia, Vietnam and the Philippines.

The hackers’ intent was likely to obtain information about corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government, according to Cybereason’s researchers. However, the hackers also had the ability to shut down or disrupt the networks if they chose to shift their priority from espionage to interference, the security firm concluded.

Cybereason found the hackers to be “highly sophisticated and adaptive,” continuously evading security measures. One of the groups was observed hiding its malicious software in computers’ recycle bin folders. Another group disguised itself within anti-virus software and also used a South Korean multimedia player called “PotPlayer” to infect computers with a keylogger that recorded what they were typing.

In some cases, the hackers accessed the telecommunication networks by breaking in through security weaknesses in Microsoft’s Exchange Servers. Hackers affiliated with the group known as Soft Cell were exploiting some of the vulnerabilities at least three months before Microsoft publicly disclosed them in March 2021, according to Cybereason.

The security firm’s findings follow allegations by the U.S. and U.K. governments, which on July 19 blamed actors affiliated with the Chinese government for a series of global hacks on Microsoft Exchange servers. “The Chinese Government must end this systematic cyber sabotage and can expect to be held account if it does not,” U.K. Foreign Secretary Dominic Raab said in a statement.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like