14 DAY TRIAL // Emissary Panda (APT27), Naikon, and Soft Cell are the organizations that carried out various hacking activities on the same telecom carriers in Southeast Asia at the same time, according to Cybereason.
Recent cyberattacks conducted by Hafnium cybercriminal gang used vulnerabilities in unpatched Microsoft Exchange servers and the same bugs were used in this particular situation. Threat actors gained access to target networks by exploiting vulnerabilities in Microsoft Exchange Server that had previously been published.
Once compromised, the hackers gained access to the sensitive information contained in key network resources such as Domain Controllers (DC), high-level corporate resources such as billing servers that contain call detail record data (CDR), as well as key network components such as telecom carriers' billing servers.
The Cybereason Nocturnus team noted an interesting overlap between the three clusters. The attacks occurred in some cases in the same target environment, in the same period, and even on the same endpoints. Currently, there is insufficient information to determine whether they are distinct threat actors or just different teams working for a single threat actor.
The following conclusions were reached by the researchers:
All three groups involved in the attacks, Soft Cell, Naikon, and Group-3390, are linked to APT (Advanced Persistent Threat) actors. The many overlapping TTPs observed in the clusters indicate the likelihood that all actors are working toward the single goal of monitoring the communications of high-level targets, aligned with the goals of the Chinese state. Cybereason concluded that the telecommunications companies were infiltrated to enable espionage against specific targets that are likely to be law enforcement agencies, politicians, corporations, government officials, and other organizations.
After their activity was undermined, the extremely adaptive attackers changed tactics to continuously disguise their activities and maintain themselves on infected systems, dynamically responding to efforts to disarm them after they already evaded security measures.