McAfee researchers have discovered cyber espionage campaigns aimed at telecommunications companies connected to 5G technology. The campaign, dubbed Operation Diànxùn, uses Huawei-branded phishing domains to lure telecommunications workers to download malware onto their work computers.
Security researchers at McAfee Advanced Threat Research (ATR) for strategic intelligence Thomas Roccia, Thibault Seret and John Fokker observed that the tactics, techniques and procedures (TTPs) employed were consistent with those used by Chinese threat operators Red Delta and Mustang Panda. They claim that the cyber espionage campaign aims to steal secret information about 5G technology.
“In this report, we brought to light a recent espionage operation allegedly attributed to a Chinese APT group. In relation to the target sector [telecomunicações], we believe that this campaign was used to access sensitive data and spy on companies linked to 5G technology. In addition, the use of a fake Huawei website gives more clues about telecommunications targets, ”says the report.
The attackers used a fake Huawei career site to attract telecommunications workers. Hackers personified Huawei by creating a convincing fake Huawei career site to attract victims. “We believe with a medium level of confidence that attackers used a phishing site disguised as a Huawei company career page to target people working in the telecommunications industry.”
They tricked telecom workers into downloading malware disguised as Flash applications. By taking the bait, the victims were directed to another website flash.cn, which resembles the official Chinese Flash download site.
The researchers note that the downloaded flash applications have connected to the attackers’ domain “hxxp: //update.careerhuawei.net”, which mimics Huawei’s career portal, “hxxp: //career.huawei.com.” Security researchers also found another domain “hxxp: //update.huaweiyuncdn.com” used in the cyber espionage campaign in late 2020.
“Although the initial vector for the infection is not entirely clear, we believe with a medium level of confidence that the victims were attracted to a domain under the control of the threat operator, from which they were infected with malware that the threat actor took advantage of to make additional discoveries and collect data ”, concludes the report.
Most of the targeted telecommunications companies operated in the USA, Europe and Southeast Asia. However, there was a “strong interest” in German, Vietnamese and Indian telecommunications companies. The researchers were unable to identify the initial vector used to attract telecommunications workers to Huawei’s fake career site. They were also unable to establish whether Huawei was involved in the cyber espionage campaign. However, they concluded that the campaign was related to the ban on Chinese equipment in the launch of 5G technology.