McAfee: Cyber Espionage Campaign Targets Telecoms to Steal Secret 5G Data

A new cyber espionage campaign is targeting telecommunication companies in the United States, Europe and Southeast Asia.

That’s according to McAfee’s Advanced Threat Research (ATR) team. This nefarious security scheme aims to steal sensitive or secret information in relation to 5G technology.

Dubbed Operation Diànxùn, the cyber espionage campaign uses malware masquerading as Adobe Flash applications. It shares tactics, techniques and procedures (TTPs) with attacks previously attributed by the industry to Mustang Panda.

Key findings include:

• The malware masquerading as Adobe Flash applications connects to a domain impersonating a legitimate career site for Huawei. 
• Since May 2020, cybersecurity researchers have spotted activity linked to the Chinese threat group dubbed RedDelta. McAfee ATR believes RedDelta and Mustang Panda are one and the same. The Mustang Panda group upgraded its cyberattack weapon in attacks attributed to RedDelta.

Numerous Victims and Counting

Thomas Roccia is a security researcher on the ATR team. He said at least 23 victims have been identified so far.

McAfee’s Thomas Roccia

“While we have no evidence of stolen information, it is possible that the attackers could use the fake Flash application installed on victims’ machines to move laterally across their employers’ organizations to impact other systems and resources,” he said.

There’s also no evidence of specific information targeted, Roccia said. However, the targets are mainly in the telco sector or have a link to this sector.

“Currently, there is a global race in the 5G backbone deployment,” he said. “And most of the organizations where we have observed telemetry hits were expressing concerns regarding the rollout of 5G technology from China. All of these indicators, in addition to the motivation of the threat actors usually seen and the TTPs, gives us a moderate level of confidence that the motivation behind this specific campaign has to do with Chinese technology in the global 5G rollout.”

While the initial vector for the infection is not entirely clear, the McAfee team believes with a medium level of confidence that malicious hackers lured their victims to a domain under their control. There, the hackers infected them with malware, which they used to perform additional discovery and data collection. The attackers used a phishing website masquerading as the Huawei company career page.