Equipment in data center showing Chinese APT cyber espionage in telco network

Chinese APT Weaver Ant Burrowed in a Large Asian Telco Network for Several Years Conducting Cyber Espionage

Chinese APT group Weaver Ant breached and maintained a foothold on a large Asian telco network for four years using compromised Zyxel CPE routers for cyber espionage.

“Based on our analysis, we assess that the group behind this intrusion—tracked by Sygnia as Weaver Ant—aimed to gain and maintain continuous access to telecommunication providers and facilitate cyber espionage by collecting sensitive information,” the researchers stated.

Sygnia researchers said they received multiple alerts during an unrelated forensic investigation, which resulted in the discovery of the subsequent compromise.

During the investigation, they accidentally detected the reactivation of an account that was previously compromised by a different threat actor.

“It appeared that the remediation of the first threat actor inadvertently disrupted the operations of a second, China-nexus threat group, tracked by Sygnia as Weaver Ant,” the researchers said.

The re-activation occurred via a service account and originated from a server that was not previously compromised, raising suspicions of potentially ongoing compromise.

How Chinese APT compromised a major telco network for years

The researchers further probed the telco network’s infrastructure and discovered China Chopper web shells on the server with evidence of a multi-year compromise. China Chopper is preferred for being lightweight and offering various functionalities, such as file management, command execution, and data exfiltration.

They also discovered that the Chinese APT had deployed “INMemory” web shells, which execute on the compromised device’s memory. The web shell works by decoding “a hardcoded GZipped Base64 string into a Portable Executable (PE) named ‘eval.dll’ and executing it entirely in memory to evade detection.”

The Chinese APT used the web shells to deliver more potent payloads, including tunneling tools, to access the telco network’s resources, navigate various web environments, and maintain operational complexity.

“Web shell tunneling is a method that leverages multiple web shells as ‘proxy servers’ to redirect inbound HTTP traffic to another web shell on a different host for payload execution,” the researchers explained.

The tactic allowed the Chinese APT to operate on different servers in different network segments by using publicly accessible servers as operational gateways.

Sygnia researchers compared the Chinese APT’s behavior on the telco network to a nesting doll with different layers, where “malicious payloads were encapsulated in multiple layers of encryption and obfuscation.”

They explained how each next-in-line web shell peeled back the layer to reveal the subsequent payload for execution.

“This layering allowed the threat actor to remain evasive, with the true malicious intent only becoming apparent once the final payload was unveiled, much like the smallest doll hidden inside a nesting set,” the report stated.

The Chinese APT operated on the telco network’s infrastructure during normal working hours on weekdays in the Chinese time zone (GMT +8) and avoided the weekends, suggesting that they worked for a professional organization. Nonetheless, the identity of the compromised telco network remains undisclosed, as is the Chinese APT’s.

Mitigations against Chinese APT

Meanwhile, the researchers recommended various mitigations to defend against the threat posed by the Chinese APT. They included enabling logging, including on PowerShell and IIS, and monitoring the network for suspicious activity.

Similarly, restricting Web-facing accounts, rotating credentials, and deploying EDR and XDR solutions could stop the Chinese APT from compromising targeted organizations for cyber espionage.

“By embracing such an approach, organizations can enhance their ability to detect, deter, and counteract the persistent threat presented by state-sponsored groups,” advised Sygnia.

Meanwhile, Chinese state-backed threat actors have frequently targeted critical infrastructure in Hong Kong, the Philippines, Taiwan, and Vietnam for cyber espionage.