Chinese Hackers Allegedly Breach Asian Telecom Firm, Maintain Stealthy Access for Four Years

A major telecommunications company in Asia was reportedly infiltrated by Chinese state-sponsored hackers who remained inside its systems for over four years, according to a new report by cybersecurity firm Sygnia. The attackers, tracked under the name Weaver Ant, used stealthy and persistent tactics to carry out cyber espionage. While the name of the telecom provider remains undisclosed, Sygnia described the intrusion as highly sophisticated and deeply embedded.

Covert Intrusion via Web Shells and Tunneling

The hackers exploited a misconfiguration in a public-facing application to gain initial access to the target environment. They then deployed two different web shells—an encrypted version of China Chopper (a well-known Chinese hacking tool) and a newly discovered malicious tool named INMemory.

The INMemory web shell, as its name suggests, is designed to execute code directly in memory rather than writing to disk, making it difficult to detect through forensic analysis. The shell decodes a Base64-encoded string and runs C# code through a portable executable (PE) file called "eval.dll".

These web shells acted as launchpads for further attacks, including deploying an HTTP tunnel tool that enabled lateral movement over SMB, a tactic also used by Elephant Beetle, another cyber-espionage group.

Advanced Evasion and Reconnaissance Tactics

The attackers leveraged several advanced techniques to evade detection and maintain persistence, including:

• Disabling security features like Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI).

• Executing PowerShell commands covertly using System.Management.Automation.dll without launching PowerShell.exe.

• Conducting reconnaissance on the compromised Active Directory environment to identify high-value targets and privileged accounts.

Signs of a Chinese State-Backed Operation

Weaver Ant exhibits distinct characteristics linked to Chinese cyber-espionage groups, including:

• The use of China Chopper, a tool frequently deployed by Chinese hacking groups.

• The employment of an Operational Relay Box (ORB) network of Zyxel routers to obfuscate their traffic.

• The working hours of the attackers, aligning with Chinese time zones.

• The deployment of an Outlook-based backdoor, previously attributed to Emissary Panda (a well-known Chinese APT group).

Throughout the four-year intrusion, Weaver Ant continuously evolved its techniques, adapting to changes in the network environment and using new methods to regain access. Sygnia noted that Chinese hacking groups frequently share tools, infrastructure, and even personnel, often employing contractors to support their operations.

China Accuses Taiwan of Cyber Espionage Amid Rising Tensions

The revelation of the telecom breach comes just days after China's Ministry of State Security (MSS) accused four Taiwanese military-linked hackers of cyber espionage against the mainland. Taiwan has denied the allegations.

According to the MSS, these individuals are members of Taiwan’s Information, Communications, and Electronic Force Command (ICEFCOM) and are responsible for:

• Phishing attacks targeting Chinese government and military agencies.

• Spreading disinformation and propaganda emails.

• Using open-source hacking tools, including AntSword web shell, IceScorpion, Metasploit, and Quasar RAT.

Taiwanese Hacking Group Identified

Chinese cybersecurity firms QiAnXin and Antiy claim a Taiwanese threat actor, dubbed APT-Q-20 (aka APT-C-01, GreenSpot, Poison Cloud Vine, and White Dolphin), has been conducting spear-phishing campaigns leading to the deployment of Cobalt Strike and Sliver C2 frameworks.

Attackers allegedly exploited security flaws in IoT devices (such as routers, cameras, and firewalls) and used weak passwords to gain access. QiAnXin downplayed the sophistication of these attacks, calling them "not particularly clever."

With cyber tensions escalating between China and Taiwan, this latest discovery highlights the ongoing battle for digital dominance in Asia’s cyber landscape.