A suspected Chinese hacking group remained inside a telecommunications firm for more than four years before investigators discovered the intrusion.
The finding comes from cybersecurity vendor Sygnia, which uncovered the hack at a major Asian telecom. The goal was to secretly maintain access and collect sensitive data.
Sygnia points the finger at the Chinese hacking group Weaver Ant, which infiltrated the telecom company by exploiting vulnerable Zyxel CPE series home routers. Weaver Ant then installed web shells or malicious computer scripts, giving them a backdoor to maintain remote access to compromised web servers at the telecom provider.
According to Sygnia, the web shells were able to evade detection for so long because they used specific keywords such as “password,” “key,” and “pass” to deliver payloads. Many web application firewalls will “automatically redact or mask” such values in the network logs. “As a result, the actual payload content was obscured, making it difficult to monitor or analyze the transferred data,” Sygnia said.
(Credit: Sygnia)
To further obscure its activities, Weaver Ant would also transmit payloads to the web shells that “exceeded the character limit supported” by the firewall, leading to the truncation of the logged data. “This limitation prevented a complete forensic reconstruction of the payload, further complicating the investigation,” Sygnia says.
The incident is the latest case of suspected Chinese hackers breaching a company’s network and remaining undetected for long stretches of time, free to poke around sensitive data. Earlier this month, security vendor Dragos detailed a separate breach involving Chinese hackers sitting inside a Massachusetts public utility company for around 300 days.
Ironically, Sygnia uncovered Weaver Ant’s activities while working to stop a separate Chinese hacking group that had been inside the telecommunications firm’s network. The remediation efforts unintentionally disabled an account that Ant Weaver was using. Ant Weaver then re-enabled the account, which raised a red flag.
“Upon investigation, Sygnia determined that the account had been previously used by Weaver Ant,” the company said. “Notably, the activity originated from a server that had not been previously identified as compromised. This prompted a large-scale forensic investigation.”
Recommended by Our Editors
To stop Weaver Ant, Sygnia used a monitoring process to automate the decryption of the traffic coming through the Chinese hacking group’s web shells. This led the company to identify “a large-scale operation with persistency mechanisms deployed on tens of servers,” it said.
Sygnia attributes the intrusion to Chinese hackers because the tools and web shells they used were previously connected to other Chinese hacking groups. Weaver Ant also operates during business hours in the China time zone.
This comes as at least nine US telecom firms were hit by “Salt Typhoon” hackers last year. Hackers targeted unnamed specific individuals who were “primarily involved in government or political activity,” officials said.
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Michael Kan
Senior Reporter
