Months of research have uncovered an ongoing espionage campaign linked to a China-nexus threat actor dubbed Red Menshen.
In a report called Sleeper Cells in the telecom backbone, researchers from Rapid7 Labs have outlined the scale of the threat.
These “cells” are maintaining persistence in telecommunications networks around the world, including here in the Asia-Pacific (APAC) region, “enabling ongoing intelligence collection across environments that support government, commercial and critical infrastructure operations”, according to the company.
“If you have access to telecommunications infrastructure, you are not just inside one company, you are operating close to the communication layer of entire populations, which makes this type of access highly valuable and elevates detection to a national-level concern,” Raj Samani, chief scientist at Rapid7, said in a 27 March statement.
“The activity we are seeing continues to evolve in ways that improve stealth and persistence, and organisations should treat detection as the start of investigation, not the end of it.”
While Rapid7 Labs has a solid handle on the malicious activity – including the deployment of a stealthy Linux kernel-level backdoor alongside a variant that can hide command triggers inside otherwise legitimate, encrypted HTTPS traffic – attribution does, however, remain a challenge.
“At this stage, attribution at the national level remains complex and is still under investigation. Given how the attacker conceals themselves within ‘normal’ network traffic, detection is no easy task. We are not merely searching for a needle in a haystack; rather, we are searching for a needle that has disguised itself as a piece of hay,” Christiaan Beek, Rapid7’s lead researcher, said.
“What we can state with certainty, however, is that telecommunications infrastructure is utilised globally and is highly interconnected. Consequently, the associated risk is not confined to any single region. We are observing activity in multiple parts of the world, including Europe and APAC, but concrete confirmations on a country-by-country basis take time due to the stealthy nature of these attacks.”
Beek added that this activity is not so much traditional espionage, but rather pre-positioning ahead of other activities.
“We are seeing a persistent access model where attackers embed within core communications systems and maintain that access over extended periods,” Beek said.
You can read Rapid7 Labs’ full research here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.