A Chinese advanced persistent threat group (APT) was able to roam the networks of an Asian telecommunications company for years without detection.
Researchers with security provider Sygnia said that a client in the telecommunications industry was infiltrated by a suspected Chinese state-backed threat actor. Upon further investigation, it was found that the attack went far deeper than first observed.
“Utilizing YARA rules and other enrichment mechanisms, the team identified dozens of similar web shells,” the Sygnia team said.
“The investigation revealed an entire campaign that relies exclusively on web shells for persistent access, enabling both remote code execution and lateral movement through an intricate tunneling process.”
The attack was traced to a piece of malware known as China Chopper. The command shell malware was found to have been active on the targeted server for several years. The malware used a combination of a low profile and tight encryption to hide its activities from network defenders, which allowed the attack to persist for an extended period of time, enabling the threat actors to monitor activity and perform espionage without being detected by administrators.
“Its small size and stealthy nature make China Chopper ideal for maintaining persistent access, facilitating further exploitation, and evading detection by traditional security measures,” Sygnia said.
“Additionally, its versatility and ease of use have made it a popular choice for executing a wide range of malicious activities on targeted systems”
The researchers said that the attack was more than just a single infection. Rather, it was found that the group known as "Weaver Ant" managed to infiltrate a number of systems and was able to access the network remotely in a number of ways that could evade basic security monitoring tools and best practices.
“During the extensive web shell hunt, it became apparent that Weaver Ant was still operating within the compromised network,” Syngia noted.
“To successfully investigate an advanced persistent threat, it was necessary to implement stealth monitoring to avoid compromising the ongoing investigation and to prevent the threat actor from altering or halting their operations temporarily to remain undetected.”
Such infiltrations are not uncommon. Security firms have noted that Chinese APTs in particular will maintain persistent access to a target network in order to monitor activity and bleed intellectual property developments, sometimes staying on a network for years at a time.
The report comes as increased scrutiny has been placed on the extent and duration of hacking efforts from the Chinese government.
The Federal Communications Commission (FCC) recently announced that it was launching a new enforcement effort aimed at identifying and prosecuting companies that have ties with the Chinese government and are suspected of helping Beijing track and spy on telecommunications traffic in the United States.
As the investigation remains in its early stages, there have yet to be any criminal complaints or legal actions.
