Chinese Hackers Target Telecoms in 12+ Countries with GHOSTSPIDER

Earth Estries Cyberattacks Target Southeast Asian Telecoms with New GHOSTSPIDER Backdoor

A new wave of cyberattacks has emerged, with the China-linked threat actor known as Earth Estries utilizing a previously undocumented backdoor called GHOSTSPIDER to infiltrate telecommunications companies in Southeast Asia. This sophisticated group, identified by cybersecurity experts as an aggressive advanced persistent threat (APT), has also deployed another cross-platform backdoor known as MASOL RAT (or Backdr-NQ) on Linux systems within government networks in the region.

Overview of Earth Estries Operations

Trend Micro reports that Earth Estries has successfully compromised more than 20 organizations across various sectors, including telecommunications, technology, consulting, chemicals, transportation, government agencies, and non-profit organizations. Victims span over a dozen countries, including:

  • Afghanistan
  • Brazil
  • Eswatini
  • India
  • Indonesia
  • Malaysia
  • Pakistan
  • Philippines
  • South Africa
  • Taiwan
  • Thailand
  • United States
  • Vietnam

This extensive reach highlights the group’s capacity to conduct operations on a global scale.

Connections to Other Cyber Threat Groups

Earth Estries shares operational characteristics with other cybersecurity clusters tracked under names like FamousSparrow, GhostEmperor, Salt Typhoon, and UNC2286. Active since at least 2020, the group has employed a variety of malware to infiltrate telecommunications and government entities across the U.S., Asia-Pacific, Middle East, and South Africa. Recent reports indicate that Earth Estries has targeted over a dozen telecom companies in the U.S., with as many as 150 victims identified by the U.S. government.

Notable Malware and Infection Vectors

Among the tools used by Earth Estries, the Demodex rootkit and Deed RAT (also known as SNAPPYBEE) stand out. Deed RAT is suspected to be a successor to ShadowPad, a malware widely used by various Chinese APT groups. Other backdoors and information stealers in their arsenal include:

  • Crowdoor
  • SparrowDoor
  • HemiGate
  • TrillClient
  • Zingdoor

Initial network access is achieved by exploiting N-day security vulnerabilities in well-known software, including:

  • Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887)
  • Fortinet FortiClient EMS (CVE-2023-48788)
  • Sophos Firewall (CVE-2022-3236)
  • Microsoft Exchange Server (multiple CVEs related to ProxyLogon)

Once inside the networks, Earth Estries deploys custom malware such as Demodex and GHOSTSPIDER to execute prolonged cyber espionage.

The Sophistication of GHOSTSPIDER Attacks

GHOSTSPIDER represents a sophisticated, multi-modular implant that communicates with attacker-controlled infrastructure via a custom protocol secured by Transport Layer Security (TLS). This allows it to fetch additional modules to enhance its capabilities as needed. Security researchers have noted the highly organized nature of Earth Estries, with distinct teams managing different aspects of their operations.

"Earth Estries conducts stealthy attacks that begin at edge devices and extend into cloud environments, making detection particularly challenging," Trend Micro explains. They emphasize that the group employs various strategies to maintain operational networks, effectively masking their cyber espionage activities.

Conclusion and Future Implications

Telecommunications companies continue to be prime targets for China-linked threat actors, including Earth Estries, Granite Typhoon, and Liminal Panda. As cyber threats evolve, organizations must remain vigilant in their cybersecurity measures to defend against these sophisticated attacks.

If you found this article insightful, feel free to share your thoughts in the comments below. For more updates on cybersecurity trends and threats, follow us on Twitter and LinkedIn.

Best deals on Microsoft Office
Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *