Security vendor McAfee has detected an attack it believes was likely aimed at telecoms companies in the hope of stealing information related to 5G networks.
McAfee has named the attack “Operation Diànxùn” and says it resembles past attacks perpetrated by groups named RedDelta and Mustang Panda. Both groups have been associated with China by other security researchers.
The attack begins, McAfee’s researchers assert, with visits to a faked Huawei careers page. Phishing may be a factor in driving traffic to that site, which serves up fake jobs and real malware.
“We discovered malware that masqueraded as Flash applications, often connecting to the domain hxxp://update.careerhuawei.net that was under control of the threat actor,” McAfee’s researchers write. “Moreover, the sample masquerading as the Flash application used the malicious domain name flach.cn which was made to look like the official web page for China to download the Flash application, flash.cn.”
“One of the main differences from past attacks is the lack of use of the PlugX backdoor. However, we did identify the use of a Cobalt Strike backdoor,” the researchers write.
McAfee to offload enterprise business for $4bn, focus on consumer security
If the attack works, victim machines become host to a backdoor that allows remote control through a command-and-control server and a Cobalt Strike Beacon.
McAfee telemetry suggested “possible targets based in Southeast Asia, Europe, and the US were discovered in the telecommunication sector” along with “strong interest in German, Vietnamese and India telecommunication companies.”
“Combined with the use of the fake Huawei site, we believe with a high level of confidence that this campaign was targeting the telecommunication sector. We believe with a moderate level of confidence that the motivation behind this specific campaign has to do with the ban of Chinese technology in the global 5G roll-out.”
The security firm concluded, with moderate confidence, that “this espionage campaign is aimed at stealing sensitive or secret information in relation to 5G technology.”
McAfee also suggests the attack should not be vastly difficult to defend, by – surprise! – using its products. Readers may also suggest not running Flash as a fine way to prevent such attacks, especially since it was deprecated. However, Flash lives on in China , where it remains an much-used tool. ®