State-Backed Group CL-STA-0969 Targets Southeast Asian Telecoms in 2024: A Comprehensive Analysis
TL;DR
In 2024, the nation-state group CL-STA-0969 targeted Southeast Asian telecom firms, focusing on critical infrastructure. The group, linked to China’s Liminal Panda, used a mix of custom and public tools and exploited known vulnerabilities. Their strong operational security (OPSEC) helped them stay undetected, and while no data exfiltration was confirmed, they likely aimed to set up resilient remote access for future espionage.
State-Backed Group CL-STA-0969 Targets Southeast Asian Telecoms in 2024
Palo Alto Networks’ Unit 42 reported that a nation-state actor, identified as CL-STA-0969, launched a series of cyberattacks against telecommunications firms in Southeast Asia from February to November 2024. These attacks specifically targeted critical infrastructure, highlighting a significant security threat in the region.
Overlap with Known Cyber Espionage Groups
The threat actor CL-STA-0969 shares similarities with the China-linked cyber espionage group Liminal Panda. Additionally, it overlaps with other groups such as Light Basin, UNC3886, UNC2891, and UNC1945. The group employed a combination of custom and publicly available tools, including Microsocks, FRP, FScan, and Responder. They also exploited known vulnerabilities such as CVE-2016-5195, CVE-2021-4034, and CVE-2021-3156.
Strong Operational Security
CL-STA-0969 maintained robust operational security (OPSEC), utilizing techniques like DNS tunneling, routing via compromised mobile networks, log clearing, and disguising process names to remain undetected. Despite these measures, researchers found no evidence of data exfiltration. However, the group used tools like Cordscan to attempt to collect mobile device location data, suggesting preparations for future espionage operations.
Targeting Telecommunications Infrastructure
Between February and November 2024, the APT group targeted critical telecommunications infrastructure, likely gaining access through brute-force attacks on authentication systems. They employed custom tools such as AuthDoor, GTPDoor, ChronosRAT, and NoDepDNS to exploit telecom protocols like SSH, ICMP, DNS, and GTP for covert access and command-and-control. To maintain stealth, they used PAM backdoors, disguised processes, tampered with logs, and disabled SELinux, showcasing a deep understanding of telecom environments and strong OPSEC.
Tools Used by CL-STA-0969
- AuthDoor: A PAM backdoor capturing user credentials by hooking into authentication functions. It supports hardcoded password access and updates stolen credentials in a hidden log.
- Cordscan: A network scanning and packet capture tool tailored for telecom environments, targeting SGSN nodes to extract IMSI and operator data.
- GTPDoor: A Linux implant using GTP-C signaling to tunnel C2 traffic within telecom networks, supporting beaconing and remote code execution.
- EchoBackdoor: A passive ICMP-based backdoor that listens for encrypted instructions in echo request packets, avoiding outbound connections.
- SGSN Emulator: Emulates an SGSN node using the OsmoGGSN project to create tunnels to mobile operators via GRX, setting up a SOCKS proxy for data exfiltration.
- ChronosRAT: A modular Linux RAT ensuring persistence via a watchdog process, with AES-encrypted TCP C2 and dynamic RSA key updates.
- NoDepDNS: A Go-based backdoor using DNS tunneling over port 53, decoding commands embedded in DNS response IP addresses using XOR encryption.
Conclusion
The activities of CL-STA-0969 underscore the critical need for enhanced security measures in the telecommunications sector. Organizations relying on legacy systems are particularly vulnerable to such advanced persistent threats (APTs). Proactive threat intelligence and vigilant security practices are essential to mitigate these risks and protect critical infrastructure from future attacks.
For more details, visit the full article: source
Follow me on Twitter, Facebook, and Mastodon.