Closer Look at an ongoing campaign in Asia targeting Telecom and Governmental entities

The Telecommunications sector is a lucrative target for nation state-backed espionage campaigns

Check Point Research is unveiling an ongoing espionage campaign targeting the telecom industry and government organizations in Asia. Called “Stayin’ Alive,” the cyber campaign has been active since 2021 and targets victims in Vietnam, Uzbekistan, Pakistan and Kazakhstan. The telco sector is a lucrative target for nation state-backed espionage campaigns, with Asian telcos experiencing 1,941 weekly attacks per organization in the past 6 months. This is 25% higher than attacks against telcos globally.

In recent months, Check Point Research have diligently monitored an ongoing cyber campaign dubbed “Stayin’ Alive.” It has primarily set its sights on the Asian telecommunications industry and government organizations. As we delve into the intricacies of this campaign, we uncover a web of activities that shed light on its tactics, targets, and potential origins.

The “Stayin’ Alive” campaign revolves around the deployment of downloaders and loaders, often utilized as initial infection vectors against high-profile Asian entities. The campaign’s initial discovery, a downloader called CurKeep, zeroed in on countries like Vietnam, Uzbekistan, and Kazakhstan. However, our ongoing analysis has unveiled a much broader operation encompassing the entire region.

What makes this campaign particularly intriguing is the simplistic nature of the tools involved. They exhibit a wide variation and appear to be disposable, primarily serving as conduits for downloading and executing additional malicious payloads. These tools do not share code similarities with any known cyber actor’s products and exhibit little resemblance to each other. Yet, they all trace back to a common infrastructure, linked to ToddyCat, a threat actor with Chinese affiliations operating within the region.

Key Highlights

1. Targets and Geography: “Stayin’ Alive” primarily targets the telecommunications industry across Asia, with a focus on countries such as Kazakhstan, Uzbekistan, Pakistan, and Vietnam.

2. Infection Tactics: The campaign employs spear-phishing emails to deliver archive files using DLL side-loading techniques. Notably, it exploits a vulnerability in Audinate’s Dante Discovery software (CVE-2022-23748) by hijacking dal_keepalives.dll.

3. Loader Diversity: Threat actors behind the campaign leverage multiple unique loaders and downloaders, all linked to the same infrastructure.

4. Basic Yet Variable Functionality: Backdoors and loaders used in the campaign exhibit basic functionality that varies widely. This suggests they are considered disposable and are primarily used to gain initial access.

Throughout our investigation, a consistent pattern of targeting has emerged, focusing on Asian countries such as Vietnam, Pakistan, Uzbekistan, and Kazakhstan. Evidence points to spear-phishing emails, VirusTotal submissions, and file naming conventions as indications of this campaign’s primary targets within the telecom sector.

The Telecommunications sector is a lucrative target for nation state-backed espionage campaigns. According to Check Point Research, since the beginning of 2023, we have seen a global weekly average of 1,504 attacks per organization in the communication industry. In Asia, we observed an average of 1,978 attacks in the same industry, which is 32% higher.

The telecommunications sector consistently face such large numbers of attacks due to the connectivity and control these telcos have of different key infrastructures, as well as storage of sensitive information about individuals that use these telco services, which could be sold on the dark web for a huge profit.

Moreover, domains associated with various loaders and downloaders suggest that at least some of the targets, or their final targets, belong to government-affiliated organizations, predominantly in Kazakhstan. These domains include mimics of the Kazakhstan National Certificate Authority (pki.gov.kz) and certexvpn, a VPN software used by the Kazakh government.