Hacking Group Conducted Espionage Campaign Targeting TelcosMcAfee: RedDelta Group Used Fake Job Website to Target Employees
A hacking group used a fake Huawei careers website to lure telecommunications workers and infect the job seekers' devices with malware that could steal information, says McAfee's Advanced Threat Research Strategic Intelligence team.
McAfee, which dubbed the campaign Operation Diànxùn, which translates from Chinese to "telecommunications," says researchers first noticed the activity in August 2020 and have spotted it as recently as last week. But the malicious website has been recently taken down.
The researchers attribute the operation to the advanced persistent threat group RedDelta, also known as Mustang Panda and TA416, which has connections to China. That's because the tactics, techniques and procedures in this campaign are similar to earlier attacks by the gang (see: Chinese Hacking Group Rebounds With Fresh Malware).
In September 2020, Recorded Future's Insikt Group noted that RedDelta's attacks at that time were in line with Chinese government interests. The attacks included several network intrusions and phishing attempts targeting the Roman Catholic Church.
"While the initial vector for the infection is not entirely clear, we believe with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware," wrote Thomas Roccia, a security researcher on the McAfee Advanced Threat Research team.
Using McAfee telemetry, the team identified telecommunications targets in the U.S., Southeast Asia, Europe, Germany, Vietnam and India.
"We believe with a moderate level of confidence that the motivation behind this specific campaign has to do with the ban of Chinese technology in the global 5G rollout," Roccia says. The attackers apparently are aiming to steal sensitive or secret information concerning 5G technology, he adds.
"We have no evidence of stolen information, but it is possible that the attackers could use the fake flash application installed on victims' machines to move laterally across their employers' organizations to impact other systems and resources," Roccia says.
The fake domain found by McAfee drew in victims by mimicking the appearance of the employment page on Chinese telecom hardware vendor Huawei's website and using a URL - hxxp://update.careerhuawei.net - that is very close to the web address for the legitimate Huawei careers page.
Once a victim was on the page, the attacker enticed them to activate a malicious Flash application that downloaded the malware onto devices. In some cases, the malicious code includes a Cobalt Strike backdoor, the report says.
If the malware was successfully downloaded, the last phase of the attack involved creating a backdoor for remote control of the victim's device through a command-and-control server and installing a Cobalt Strike Beacon, the report says.