DeadRinger attack targets telecommunications companies in Southeast Asia

DeadRinger attack
Written by Emma Davis

Cybereason analysts have found that in recent years, at least five major telecommunications service providers in Southeast Asia, serving tens of millions of customers, have been affected by the DeadRinger attack, which was carried out by at least three different Chinese hack groups.

Based on our analysis, we believe that the goal of the attackers behind these hacks was to gain and maintain robust access to telecommunications service providers’ networks, as well as cyber espionage, gathering confidential information, and compromising important business assets, including billing servers that contain Call Detail Record (CDR) data; and key network components such as domain controllers, web servers, and Microsoft Exchange servers.

At the moment, these attacks seem to be the starting point of a major spy campaign. We all carry a device in our pocket that knows where we are, where we were and with whom.the experts say.

The attacks detected are associated with three hack groups:

These groups have used different methods to hack the same telecommunications companies, and some of them have remained active on victims’ networks for years, with some of the hacks occurring as early as 2017.

All groups are associated with the Chinese government, and as often used similar tools and tactics and attacked the same targets at the same time. So, the presence of different hackers was noticed simultaneously at the same endpoints. However, it is unclear whether the attackers were instructed to attack telecommunications companies separately, or whether the attacks were coordinated from a single source.

Experts suggest that all these attacks could be related, but in an interview with journalists from The Record, they admitted that they do not yet have conclusive evidence of this theory:

We have not seen direct interaction between these clusters. And that’s the million-dollar question. It can be tempting to say that they are all connected and treat it all as one big attack. However, based on our telemetry, we did not observe a direct link and a “smoking gun” between these three clusters. But this does not mean that they are not related. In fact, what we just don’t know. One of the reasons we decided to share our findings with the community is the hope that, over time, perhaps new information will shed light on these interesting coincidences.

Let me remind you that we talked about how Chinese hackers attacked Ragnarok Online Developers.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply