- Security researchers Sygnia discover attacks after responding to a separate event
- The attack was attributed to a Chinese state -sponsored threat actor
- Weaver Ant Group lurked for years, stole sensitive data and moved laterally
Chinese state-sponsored threat actors reportedly spent four years lurking in the IT infrastructure of a “larger” Asian telecommunications provider, according to cybersecurity researchers Sygnia, who discovered the cyber-spionage campaign after responding to a separate event.
In a technical write -up, Sygnia said while investigating a separate forensic case, several security warnings marked suspicious activity. Furthermore, a previously disabled report was re -enabled and raised even more suspicion.
After digging deeper, investigators found China Chopper web shells as well as several other malicious payload used for lateral movement and data -exfiltration.
“Incredibly dangerous”
They concluded that the threat actors named Weaver Ant were Chinese when their operational tactics, the use of China Chopper, ORB networks and other tools, their working hours and the choice of goals (critical telecom infrastructure), all pointed to that conclusion.
Sygnia did not want to reveal who the “big” Asian telecommunications company is, but said the initial access vectors were vulnerable Zyxel routers.
Furthermore, the company added other Southeast Asian Telecom providers as victims when their compromised Zyxel routers were used in the attack.
Weaver Ant successfully managed to maintain long -term access, exfiltrating sensitive data, while moving laterally over the company’s systems, the sickness concluded. The goal was espionage – to gather as much intelligence as possible from critical infrastructure.
Despite several attempts to remove them, Weaver Ant managed to persist, it was completed.
“The nation -state threat actors like Weaver Ant are incredibly dangerous and persistent with the primary goal of infiltrating critical infrastructure and collecting as much information as they can before they are discovered,” said OREN BIDERMAN, the event responsible at Sygnia.
“Weaver Ant maintained activity within the compromised network for over four years despite repeated attempts to eliminate them from compromised systems. The threat actor adapted their [tactics] to the developing network environment, enabling continuous access to compromised systems and the collection of sensitive information. “
Via The post
