Chinese Hackers Target Telecoms in Over 12 Countries with GHOSTSPIDER Malware
As part of its attacks against Southeast Asian telecom businesses, the China-affiliated threat actor Earth Estries has been seen utilizing GHOSTSPIDER, a backdoor that has not yet been documented. Another cross-platform backdoor known as MASOL RAT (also known as Backdr-NQ) was used in the assaults on Linux computers that belonged to Southeast Asian government networks, according to Trend Micro, which classified the hacking outfit as an aggressive advanced persistent threat (APT).
As part of its attacks against Southeast Asian telecom businesses, the China-affiliated threat actor Earth Estries has been seen utilizing GHOSTSPIDER, a backdoor that has not yet been documented. Another cross-platform backdoor known as MASOL RAT (also known as Backdr-NQ) was used in the assaults on Linux computers that belonged to Southeast Asian government networks, according to Trend Micro, which classified the hacking outfit as an aggressive advanced persistent threat (APT).
It is reported that Earth Estries has effectively compromised over 20 organizations, including government agencies, non-profit organizations (NGOs), and companies in the transportation, chemical, consulting, technology, and telecommunications sectors. Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the United States, and Vietnam are among the more than a dozen nations whose victims have been identified.
Clusters that are monitored by other cybersecurity providers with the names FamousSparrow, GhostEmperor, Salt Typhoon, and UNC2286 coincide with those that Earth Estries shares. It has reportedly been operating since at least 2020, using a variety of malware families to compromise government and telecommunications organizations in South Africa, the Middle East, Asia-Pacific, and the United States. The hacker organization is thought to have compromised over a dozen telecom corporations in the United States alone, according to a report published last week by The Washington Post. The U.S. government has identified and alerted up to 150 victims.
Among its noteworthy malware tools are the Demodex rootkit and Deed RAT (also known as SNAPPYBEE), which is thought to be ShadowPad's successor.
Threat actor backdoors and information thieves such as Crowdoor, SparrowDoor, HemiGate, TrillClient, and Zingdoor also employ them.
N-day security flaws in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, aka ProxyLogon), Sophos Firewall (CVE-2022-3236), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and Fortinet FortiClient EMS (CVE-2023-48788) are exploited to gain initial access to target networks.
To carry out long-term cyber espionage operations, the attacks then open the door for the distribution of bespoke malware like Deed RAT, Demodex, and GHOSTSPIDER. According to security researchers Ted Lee, Lenart Bermejo, Theo Chen, and Leon M. Chang, "Earth Estries is a well-organized group with a clear division of labor." "Observations from several campaigns lead us to hypothesize that attacks directed against certain businesses and geographical areas are initiated by several threat actors."
"Additionally, the [command-and-control] infrastructure used by various backdoors seems to be managed by different infrastructure teams, further highlighting the complexity of the group's operations." GHOSTSPIDER is an advanced, multi-modular implant that uses a unique protocol secured by Transport Layer Security (TLS) to communicate with attacker-controlled infrastructure. It then retrieves extra modules that can enhance its capability as required.
"Earth Estries conducts stealthy attacks that start from edge devices and extend to cloud environments, making detection challenging," Trend Micro stated. "They employ various methods to establish operational networks that effectively conceal their cyber espionage activities, demonstrating a high level of sophistication in their approach to infiltrating and monitoring sensitive targets."
China-affiliated threat organizations including Granite Typhoon and Liminal have targeted telecommunications businesses. According to cybersecurity company CrowdStrike, which spoke to The Hacker News, the attacks show how China's cyber program has matured significantly, moving from isolated attacks to bulk data collection and longer-term targeting of platform providers, Internet service providers, and managed service providers (MSPs).