- Security researchers Sygnia discover attack after responding to a separate incident
- The attack was attributed to a Chinese state-sponsored threat actor
- Weaver Ant group lurked for years, stealing sensitive data and moving laterally
Chinese state-sponsored threat actors allegedly spent four years lurking in the IT infrastructure of a “major” Asian telecommunications provider, according to cybersecurity researchers Sygnia, which discovered the cyber-espionage campaign after responding to a separate incident.
In a technical writeup, Sygnia said while investigating a separate forensic case, multiple security alerts flagged suspicious activity. Furthermore, a previously disabled account was re-enabled, raising even more suspicion.
Digging deeper, the investigators found China Chopper web shells, as well as multiple other malicious payloads used for lateral movement and data exfiltration.
“Incredibly dangerous”
They concluded that the threat actors, named Weaver Ant, were Chinese, since their operational tactics, the use of China Chopper, ORB networks, and other tools, their working hours, and the choice of target (critical telecom infrastructure), all pointed to that conclusion.
Sygnia did not want to disclose who that “major” Asian telecommunications company is, but said that the initial access vectors were vulnerable Zyxel routers.
Furthermore, the company added other Southeast Asian telecom providers as victims, as well, since their compromised Zyxel routers were used in the attack.
Weaver Ant managed to successfully maintain long-term access, exfiltrate sensitive data, while moving laterally across the company’s systems, Sygnia concluded. The goal was espionage – to gather as much intelligence as possible, from critical infrastructure.
Despite multiple attempts to remove them, Weaver Ant managed to persist, it was concluded.
“Nation-state threat actors like Weaver Ant are incredibly dangerous and persistent with the primary goal of infiltrating critical infrastructure and collecting as much information as they can before being discovered,” said Oren Biderman, incident response leader at Sygnia.
“Weaver Ant maintained activity within the compromised network for over four years despite repeated attempts to eliminate them from compromised systems. The threat actor adapted their [tactics] to the evolving network environment, enabling continuous access to compromised systems and the collection of sensitive information.”
Via The Record
You might also like
https://cdn.mos.cms.futurecdn.net/gaGNk35XKYpmpPGJq8v2tU-1200-80.jpg
Source link
