- Sygnia security researchers discover an attack after responding to a separate incident
- The attack was attributed to a threat actor sponsored by the Chinese state
- The Tisserand ant group hides for years, steal sensitive data and move laterally
The threats of the threat sponsored by the Chinese state would have spent four years hiding in the IT infrastructure of an “major” Asian telecommunications supplier, according to cybersecurity researchers Sygnia, who discovered the cyber-spying campaign after responding to a distinct incident.
In a technical drafting, Sygnia said that during an investigation into a separate forensic case, several security alerts reported a suspicious activity. In addition, a previously deactivated account has been reactivated, which raises even more suspicions.
By digging more deeply, the investigators found web china chopper web shells, as well as several other malicious charges used for the lateral movement and the exfiltration of the data.
“Incredibly dangerous”
They concluded that the threat actors, named Weaver Ant, were Chinese, because their operational tactics, the use of China Chopper, Orb Networks and other tools, their working hours, and the choice of target (critical telecommunications infrastructure), all indicated towards this conclusion.
Sygnia did not want to disclose who is this “large” Asian telecommunications company, but said that the initial access vectors were vulnerable Zyxel routers.
In addition, the company also added other telecommunications suppliers in Southeast Asia as victims, because their compromised Zyxel routers were used in the attack.
Weaver Ant has successfully maintained long -term access, data sensitive to exfiltration, while moving laterally through business systems, concluded Sygnia. The objective was espionage – to bring together as much intelligence as possible, critical infrastructure.
Despite multiple attempts to withdraw them, Weaver Ant managed to persist, he was concluded.
“The threats of the threats of the nation state like Weaver Ant are incredibly dangerous and persistent with the main objective of infiltrating critical infrastructure and collecting as much information as possible before being discovered,” said Oren Biderman, head of response to incidents at Sygnia.
“Weavers have maintained activity within the compromised network for more than four years despite repeated attempts to eliminate them from compromise systems. The threat actor adapted their [tactics] to the evolution network environment, allowing continuous access to compromise systems and to collect sensitive information. »»
Via The record
