DeadRinger APT Group Targets Southeast Asian Telecommunications Firms

What happened?

• The attacks are suspected to be carried out by APT groups associated with the Chinese nation-state due to the overlap in tactics and techniques with other Chinese APT groups.
• The goal of the campaigns was to target telecommunications firms to facilitate cyber espionage by gathering important information and subsequently target high-profile assets of the firms.

About the three campaigns

• The first cluster was likely performed by the Soft Cell APT group, which started its attack in 2018. The threat group has been active since 2012 and its attacks are aligned with the Chinese interests.
• The second attack is allegedly linked to Naikon, which has been targeting telcos since Q4 2020. Naikon is suspected to be connected with the military bureau of the Chinese People's Liberation Army (PLA). 
• The third attack campaign has been linked to APT27 (or Emissary Panda), with activities observed between 2017 and Q1 2021. The group was spotted using a unique backdoor to target Microsoft Exchange servers.

Attack techniques

• It details the exploitation of Exchange Server vulnerabilities; use of China Chopper, Mimikatz, and Cobalt Strike beacons; and backdoors with C2 for data exfiltration.
• The assets include billing servers with Call Detail Record (CDR) data, along with key network components such as the web servers, domain controllers, and Microsoft Exchange servers.

Conclusion