A China-linked advanced persistent threat group, dubbed ‘Weaver Ant,’ infiltrated the network of a major Asian telecommunications provider and maintained unauthorized access for over four years. This prolonged intrusion was characterized by sophisticated techniques designed to evade detection and persist within the compromised environment.
Weaver Ant employed an operational relay box (ORB) network, primarily consisting of compromised Zyxel customer-premises equipment (CPE) routers. This strategy allowed them to proxy their malicious traffic, effectively concealing their infrastructure and activities from standard monitoring tools.
Initial access was achieved using an AES-encrypted variant of the China Chopper web shell, a tool that facilitates remote control of servers while bypassing firewall restrictions. This allowed the attackers to establish a foothold within the telecommunications provider’s network.
As their operation progressed, Weaver Ant deployed a more advanced, custom-built web shell known as ‘INMemory.’ This tool leverages a dynamic-link library (DLL) named ‘eval.dll’ to execute code directly in the host’s memory, enhancing stealth and reducing the likelihood of detection.
Despite multiple attempts by the affected telecommunications provider to eradicate the intrusion, Weaver Ant demonstrated resilience, maintaining their covert presence over an extended period. This underscores the group’s sophistication and the challenges organizations face in defending against such advanced threats.
This incident highlights the critical importance for organizations, especially those in the telecommunications sector, to implement robust cybersecurity measures. Regular network monitoring, timely patching of vulnerabilities, and comprehensive incident response strategies are essential to detect and mitigate such sophisticated cyber espionage activities.
For further details, access the article here
Tiger Trap: America’s Secret Spy War with China
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services
