China-linked APTs Offer Fake Huawei Careers as Lure

Monday, March 22nd, 2021 | , ,

Chinese-language APTs are targeting telecom companies in cyberespionage campaigns aimed at stealing sensitive data and trade secrets tied to 5G technology, according to researchers. The campaigns, dubbed “Operation Diànxùn”, target and lure victims working in the telecom industry. A typical ploy includes a fake website designed to mimic telco-giant’s Huawei career page.

Given the tactics used in the campaign, researchers believe it to be the work of known Chinese-language APTs ‘RedDelta’ and ‘Mustang Panda’. RedDelta was last believed to be behind cyberattacks against the Vatican and other Catholic Church-related institutions last year. In those attacks, adversaries leveraged spear phishing emails laced with malware that ultimately pushed the PlugX remote access tool (RAT) as the final payload.

Mustang Panda has been linked to cyberespionage attacks on non-governmental organizations (NGOs) with a focus on gathering intelligence on Mongolia by using shared malware like Poison Ivy or PlugX. The group also is known to shift tactics and adopt new tools quickly, researchers have noted.

This time around, the groups seem to be gunning for sensitive data and aiming “to spy on companies related to 5G technology,” researchers wrote. The campaign is likely related to a number of countries’ decision to ban the use of Chinese equipment from Huawei in the global rollout of the next-generation wireless telecommunications technology, researchers suggested.

The APTs used a multi-phased approach to the attacks, with the initial delivery vector likely coming in the form of a phishing attack using the internet as the first point of contact with victims, researchers said with “a medium level of confidence.”

Once someone falls for this aspect of the campaign, the second phase executes a .NET payload on the victim’s endpoint by leveraging Flash-based artifacts malware, according to the report. In the third and final phase of the attack, threat actors create a a backdoor for remote control of the victim via a Command and Control Server and Cobalt Strike Beacon, according to the report.

Share this: