Cybereason recently announced the discovery of several previously unknown cyber attack campaigns infiltrating major telecommunications providers across Southeast Asia – a long-running espionage campaign dubbed ‘DeadRinger.'
The attack is said to be based in Southeast Asia, according to Cybereason's report. However, the three APT groups mentioned in the report have previously attacked telcos in the United States, Europe, and Africa, so it's likely that telcos around the world are being targeted and most are unaware of it.
The DeadRinger attack is somewhat similar to recent attacks, such as Kaseya in some ways but with a different goal. Leslie Wong, Regional Vice President, APAC, Cybereason, stated in an interview that both attacks are distinct but equally damaging.
“In the case of Kaseya, it was a ransomware attack with hundreds and possibly thousands of companies impacted and quite possibly tens of thousands of infected computers around the world,” said Leslie.
DeadRinger, on the other hand, is an attack on at least five telcos with the sole goal of conducting cyber espionage for as long as possible without being detected.
Could the Kaseya Incident Have Been Avoided?
Leslie explained that the global Kaseya attack serves as a reminder that companies must change their approach to cyber conflict, and paying the ransom is never a good idea – here's why.
According to Leslie, companies need to shift focus from dealing with ransomware after the fact to disrupting the earliest stages of attacks through behavioural detections – this is the operation centric approach to cybersecurity. The goal isn't to block and prevent all attacks. It should be to quickly detect suspicious or malicious activity, and ensure you have the visibility, intelligence, and context to understand and remove the threat.
“We can’t just focus on the ransomware attack – by then, it is too late. Look at the earlier stages of the attack when criminals are inserting malicious code into the supply chain for instance. The ransomware is the symptom of the larger disease we need to treat,” he explained.
Hundreds of businesses around the world have been impacted by the Kaseya attack. Even so, paying the ransom is never a good idea in the first place, reiterated Leslie, unless the cost of doing so affects human life, public safety, or is existential.
He stated that paying does not solve the problem if the company was victimised by the widely used “double extortion” techniques. In double extortion, hackers steal a company's data and then threaten to sell it on the Dark Web if the ransom is not paid.
He added that “Cybereason’s recent global ransomware study showed that 80 per cent of companies that paid a ransom were victims of a second ransomware attack.”
If Kaseya's attack can cause that much damage, how bad can the DeadRinger be? Apparently, it's pretty bad.
The Impact of DeadRinger
The way the threat actors manage to gain access to and control these telecommunications networks was by exploiting several vulnerabilities in Microsoft Exchange servers, including the recent set of vulnerabilities published by Microsoft in March 2021.
“Following the exploitation, the attackers installed the China Chopper WebShell on the compromised server and used it to perform a variety of tasks at each phase. In the first phase, the attackers mainly focused on reconnaissance activity, mapping out the network and identifying critical assets. In addition, they deployed other tools that allowed them to harvest credentials, move laterally in the network, and exfiltrate data,” explained Leslie.
The impact of these espionage attempts on the APAC public and private sectors is concerning. Any telco or company operating critical infrastructure networks should be alarmed if threat actors are operating undetected inside networks dating back to 2017.
Without being detected, the threat actors gained access to billing systems containing highly sensitive information such as Call Detail Record (CDR) data on telcos' customers, such as their location, the people with whom they communicate, and their individual locations. Business leaders, government officials, law enforcement agencies, political activists, and dissidents are all targets.
Leslie explained that “The goal of hackers is to gain access to sensitive information. Given how deeply the hackers were inside the telcos’ networks, they could have disabled cellular service, seriously impacting the country’s security and economy.”
Knowing how bad we could be affected by this attack; it isn’t the end of the world. According to Leslie, the telecommunications industry can better protect its customers/businesses from cyber-espionage attacks by leveraging technology and public-private partnerships to better understand the threat actors behind these attacks and the tactics, techniques, and procedures they employ, allowing for earlier detection and rooting out of malicious behaviour.