Telecommunication providers in the Middle East are under attack by Chinese cyber espionage actors associated with a long-running campaign called Operation Soft Cell.
The new cyber attacks began in Q1 2023 and involve infiltrating Internet-facing Microsoft Exchange servers to deploy web shells that provide attackers with command execution capabilities.
Once a foothold is established, the attackers conduct reconnaissance, credential theft, lateral movement, and data exfiltration activities.
The current campaign includes the deployment of a custom variant of Mimikatz called mim221, which packs new anti-detection features.
The Soft Cell threat actor, also tracked by Microsoft as Gallium, has been known to target unpatched internet-facing services and use tools like Mimikatz to obtain credentials that enable lateral movement across the targeted networks.
It is believed to have targeted telecommunications providers since at least 2012. The latest campaign also features a difficult-to-detect backdoor called PingPull, which is being used in espionage attacks against companies operating in Southeast Asia, Europe, Africa, and the Middle East.
The attacks ultimately proved to be unsuccessful, as the breaches were detected and blocked before any implants could be deployed on the target networks.
Prior research into Gallium indicates tactical similarities with multiple Chinese nation-state groups, including APT10, APT27, and APT41.
The research highlights the possibility of a “digital quartermaster” responsible for maintaining and distributing the toolset and the continuous maintenance and further development of the Chinese espionage malware arsenal. The researchers believe that Chinese cyber espionage threat actors will continue to explore and upgrade their tools with new techniques to evade detection, including integrating and modifying publicly available code.
Chinese cyber espionage actors are known to have a strategic interest in the Middle East, and various other hacking groups, including BackdoorDiplomacy and WIP26, have set their sights on telecom service providers in the region.
The latest attacks highlight the need for telecommunication providers to take proactive steps to secure their networks, including implementing strong access controls, regularly patching software and hardware, monitoring network traffic for anomalous activity, and training employees to recognize and report suspicious emails and messages.
