Cybersecurity experts discovered a cyber espionage campaign targeting telecom operators globally to steal sensitive information. According to McAfee’s Advanced Threat Research (ATR) team, the campaign is aimed at pilfering trade secrets and other technical details related to 5G technology. Dubbed “Operation Diànxùn,” the campaign tricks employees in the telecom sector with a fake Huawei career page asking them to provide personal data.
Links to Chinese Hackers
McAfee researchers suspect that Chinese state-sponsored hackers are behind Operation Diànxùn because the tactics, techniques, and procedures (TTPs) used in the campaigns are similar to the ones used by Chinese threat actor groups RedDelta and Mustang Panda.
“Most probably this threat is targeting people working in the telecommunications industry and has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology,” McAfee said.
Three Phases of Attack Vectors
The research team found that Operation Diànxùn operators initiate their attacks in three phases:
- The attackers send phishing emails to the targets as the initial phase of the infection. In this phase, the victims are directed to a domain, masquerading as the Huawei company career page, controlled by the threat actor group.
- The second phase of exploitation involves malware execution on the victim’s endpoint of Flash-based artifacts malware and Dotnet payload. The fake Flash installer acts as a payload downloader to further compromise the targeted machine.
- The last phase of the attack involves creating a backdoor for remote control of the victim via a Command-and-Control Server and Cobalt Strike Beacon.
“To defeat targeted threat campaigns like Operation Dianxun, defenders must build an adaptive and integrated security architecture which will make it harder for threat actors to succeed and increase resilience in the business,” McAfee added.