SBN

‘DeadRinger’ Reveals Pervasive Cyber Espionage Campaign

‘DeadRinger’ Reveals Pervasive Cyber Espionage Campaign

August 6, 2021 |

2 minute read

In the summer of 2019, our researchers discovered a massive malicious campaign against telecommunications providers that we dubbed Operation Soft Cell. This week, our researchers revealed details of more pervasive attacks against telecommunications providers. The DeadRinger report reveals a cyber espionage campaign out of China targeting providers in Southeast Asia.

What We Know

One of the things that stands out about DeadRinger is that the attacks are similar to recent attacks like SolarWinds and Kaseya in some respects. Namely, rather than trying to hack or compromise specific targets, the DeadRinger attackers infiltrated third-party service providers they know their intended targets use, but in this instance the objective was to conduct covert surveillance instead of distributing malware. 

The Cybereason Nocturnus team identified three separate threat actors operating in parallel. The three groups—Soft Cell, Naikon, and Group-3390—have one thing in common: they are all APT groups known to work on behalf of Chinese interests. The groups employed similar techniques, used some of the same tools and tactics, and even went after the same targets, leading our researchers to assess that they appear to be coordinating their efforts. We believe that a central body aligned with Chinese interests assigned the groups parallel objectives to capture and monitor communications of high-value targets. 

Our researchers found the attacks to be very adaptive, persistent, and evasive. The threat actors worked to carefully hide their activity and strived to maintain persistence on compromised systems. They circumvented traditional security solutions and were even observed responding in real-time to evade mitigation efforts. The level of skill and sophistication suggests that the targets are of great value to whoever is directing these cyber espionage campaigns.

DeadRinger and Cyber Espionage

The Biden administration recently coordinated with global allies to condemn China for its role in the HAFNIUM attacks targeting vulnerabilities in Microsoft Exchange Server earlier this year. While the activity observed in the DeadRinger report goes back long before that—as early as 2017—this research illustrates the challenges we face with cybersecurity, and how far we have to go when it comes to establishing rules of engagement for cyber espionage. 

The activity observed by our researchers as part of DeadRinger was focused on cyber espionage and capturing call, location and messaging data for specific high-value targets. However, the attackers had the access and control of the compromised networks to enable them to simply shut down the telecommunications providers as well if they chose to do so. 

In the wake of President Biden cautioning against the potential for a cyber attack to result in an escalation of hostilities that could result in physical warfare, it is imperative that the nations of the world define clear rules of engagement for state-ignored or sponsored cyber operations. It is also important for public and private sector organizations to work together to improve cybersecurity in general so we can detect and respond to threats more effectively.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div

‘DeadRinger’ Reveals Pervasive Cyber Espionage Campaign

August 6, 2021 |

2 minute read

In the summer of 2019, our researchers discovered a massive malicious campaign against telecommunications providers that we dubbed Operation Soft Cell. This week, our researchers revealed details of more pervasive attacks against telecommunications providers. The DeadRinger report reveals a cyber espionage campaign out of China targeting providers in Southeast Asia.

What We Know

One of the things that stands out about DeadRinger is that the attacks are similar to recent attacks like SolarWinds and Kaseya in some respects. Namely, rather than trying to hack or compromise specific targets, the DeadRinger attackers infiltrated third-party service providers they know their intended targets use, but in this instance the objective was to conduct covert surveillance instead of distributing malware. 

The Cybereason Nocturnus team identified three separate threat actors operating in parallel. The three groups—Soft Cell, Naikon, and Group-3390—have one thing in common: they are all APT groups known to work on behalf of Chinese interests. The groups employed similar techniques, used some of the same tools and tactics, and even went after the same targets, leading our researchers to assess that they appear to be coordinating their efforts. We believe that a central body aligned with Chinese interests assigned the groups parallel objectives to capture and monitor communications of high-value targets. 

Our researchers found the attacks to be very adaptive, persistent, and evasive. The threat actors worked to carefully hide their activity and strived to maintain persistence on compromised systems. They circumvented traditional security solutions and were even observed responding in real-time to evade mitigation efforts. The level of skill and sophistication suggests that the targets are of great value to whoever is directing these cyber espionage campaigns.

DeadRinger and Cyber Espionage

The Biden administration recently coordinated with global allies to condemn China for its role in the HAFNIUM attacks targeting vulnerabilities in Microsoft Exchange Server earlier this year. While the activity observed in the DeadRinger report goes back long before that—as early as 2017—this research illustrates the challenges we face with cybersecurity, and how far we have to go when it comes to establishing rules of engagement for cyber espionage. 

The activity observed by our researchers as part of DeadRinger was focused on cyber espionage and capturing call, location and messaging data for specific high-value targets. However, the attackers had the access and control of the compromised networks to enable them to simply shut down the telecommunications providers as well if they chose to do so. 

In the wake of President Biden cautioning against the potential for a cyber attack to result in an escalation of hostilities that could result in physical warfare, it is imperative that the nations of the world define clear rules of engagement for state-ignored or sponsored cyber operations. It is also important for public and private sector organizations to work together to improve cybersecurity in general so we can detect and respond to threats more effectively.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div

*** This is a Security Bloggers Network syndicated blog from Blog authored by Lior Div. Read the original post at: https://www.cybereason.com/blog/deadringer-reveals-pervasive-cyber-espionage-campaign