Chinese hacker group attempts to steal 5G secret from telcos, McAfee reports

Chinese hacker group attempts to steal 5G secret from telcos, McAfee reports

Cybersecurity researchers at U.S.-based security firm McAfee uncovered Tuesday a cyber espionage campaign targeting telcos around the world attempting to steal 5G technology secrets.

According to the McAfee, the hacker campaign – dubbed Operation Dianxun and originating from China – was done using malicious downloads to steal sensitive 5G data from compromised victims, primarily telecoms providers in Southeast Asia, Europe, and the United States.

“The tactics, techniques and procedures (TTPs) used in the attack are like those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. Most probably this threat is targeting people working in the telecommunications industry and has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology,” Andrea Rossini, Presales Regional Solution Architect at McAfee noted in a company blog post detailing the campaign.

Mustang Panda and RedDelta are known to have prior history of hacking and spying on organizations around the world; however, it seems as though the group has set its sights on the telecoms industry.

McAfee highlighted that at least 23 telecoms provider around the world are suspected to have been targeted in Operation Dianxun, which has been active since August 2020.

Rossini explained that while the initial vector for the infection is not entirely clear, the McAfee ATR team believes with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware which the threat actor leveraged to perform additional discovery and data collection.

“It is our belief that the attackers used a phishing website masquerading as the Huawei company career page,” he said, emphasizing that Huawei itself is not involved in the cyber espionage campaign.

Researchers at McAfee revealed that through the phishing website, users were encountered with a malicious Flash application which is used to drop the Cobalt Strike backdoor onto the visiting machine, ultimately providing attackers with visibility on the machine and the ability to collect and steal sensitive information.

It is worth mentioning that analysists at McAfee believe that the campaign is still currently active and attempting to target persons with knowledge of 5G technology within the telecoms industry.

“The first step ahead of identification is to ensure our architecture can stop or identify the threat in the initial access vector. In this case, the initial delivery vector is a phishing attack, so the web channel is therefore fundamental in the initial phase of the infection. McAfee Web Gateway and MVISION UCE provide multi-layer web vector protection with URL Reputation check, SSL decryption, and malware emulation capabilities for analyzing dangerous active Web content,” Rossini wrote.

With that in mind, hacking campaigns such as these must act as a reminder for companies to train their staff to differentiate between fake and genuine websites, especially when it comes to safeguarding sensitive information, experts note.