Researchers at the McAfee Advanced Threat Research (ATR) Strategic Intelligence team detailed a new cyber-esionage operation targeting telecommunication companies based in Southeast Asia, Europe, and the US.
The researchers believe that the goal of the campaign, dubbed “Operation Diànxùn”, is to obtain information pertaining to 5G technology, and the operation is likely motivated by the ban on the use of Chinese technology in 5G rollouts in several countries. According to the security vendor, Operation Diànxùn is likely the work of Mustang Panda, a China-linked APT (advanced persistent threat) group known for its attacks against nongovernmental organizations in Southeast Asia.
Operation Diànxùn involves a malware masquerading as the Flash application, which is delivered via phishing site disguised as the Huawei's career site. The researchers discovered that the malware sample masqueraded as the Flash application used a domain name designed to look like the official webpage in China for the Flash download site.
While previous Mustang Panda’s attacks mostly involved the use of the PlugX backdoor, Operation Diànxùn did not use this particular malware, however, the group is continuing to use a Cobalt Strike beacon as means of communication with the attackers’ remote infrastructure.
“Regarding the targeted sector (telecoms), we believe that this campaign was used to access sensitive data and to spy on companies related to 5G technology. Additionally, the use of a fake Huawei website gives more clues about the telecom targets. The announcement of the ban on Huawei in several countries could have motivated the operation,” the researchers said.
“The operating methods were previously assigned to the Chinese groups Red Delta and Mustang Panda. While we believe that the two actors could be the same, based on similar techniques, tactics, and procedures, we currently have no further evidence. Interestingly, the RedDelta group has previously targeted Catholic organizations, while this campaign is primarily focused on telecommunications.”
