A recent cyber espionage campaign dubbed ArcaneDoor, targeting perimeter network devices, may have ties to threat actors linked to China, new findings from attack surface management firm Censys suggest.

The campaign, first disclosed by the Cisco Talos threat intelligence team in April of this year, targeted two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) affecting Cisco networking equipment to plant backdoors on the affected systems. The team attributed this malicious activity to a state-sponsored actor, tracked as UAT4356 (aka Storm-1849). The campaign deployed two distinct backdoors, named “Line Runner” and “Line Dancer,” used for various purposes such as configuration manipulation, reconnaissance, network traffic interception, exfiltration, and potentially lateral movement within compromised networks.

Telemetry data collected during the investigation revealed the threat actor's interest in Microsoft Exchange servers and network devices from various vendors, indicating a broad scope of targets. Notably, Censys' analysis of the attacker-controlled IP addresses suggests potential involvement of a threat actor based in China.

This theory is based on the fact that four out of five online hosts identified as a part of the attackers’ infrastructure are located in China and have presented SSL certificates associated with Tencent and ChinaNet autonomous systems (AS).

Furthermore, among the managed IP addresses is a host located in Paris (212.193.2[.]48), identified with the subject and issuer “Gozargah,” likely referring to a GitHub account hosting anti-censorship tool Marzban. The software is supported by the open-source project Xray, with a website predominantly in Chinese.

Cross-referencing these findings with Censys data indicates that some attacker-controlled hosts were running services associated with anti-censorship software, potentially aimed at circumventing China's Great Firewall. Moreover, a significant number of these hosts are situated within Chinese networks, further suggesting a Chinese connection to the campaign.

Earlier this month, researchers at Infoblox shared details on a sophisticated China-linked threat actor that has been orchestrating operations within China's internet infrastructure since at least 2019. Dubbed “Muddling Meerkat,” the threat actor has been running a previously undisclosed multi-year operation that utilizes Domain Name System (DNS) queries, open DNS resolvers, and China's Great Firewall (GFW) to exert control over internet traffic.