Since early 2024, major telecommunications organizations across Southeast Asia have faced attacks from an advanced state-sponsored cyber threat actor identified as CL-STA-0969. Security intelligence suggests a likely association with Chinese cyber-espionage operations, given the group’s methods and tools, which demonstrate a deep familiarity with telecommunications systems, high operational security, and technical adaptability.
Attack Overview
CL-STA-0969 has primarily focused its activities on entities servicing mobile roaming infrastructure within the telecommunications sector, with the earliest campaigns observed in February 2024 and continuing through at least November of that year. Unlike groups pursuing data theft for rapid monetization, this actor appears to be strategically positioning itself within telecom environments—facilitating persistent, covert access and remote control rather than immediate, large-scale data exfiltration.
Tactics and Techniques
Initial Access and Exploitation
Attackers leveraged brute-force attacks targeting SSH authentication, often exploiting default, built-in accounts on telecom infrastructure. Once inside, they swiftly deployed a range of custom malware packages designed for both persistence and stealth.
Key Tools and Malware
- AuthDoor: A malicious Pluggable Authentication Module (PAM) backdoor, enabling access via hardcoded credentials.
- Cordscan: Utility developed to harvest mobile device location data within telecom systems.
- GTPDOOR: Specialized for reconnaissance and persistence in GPRS roaming environments.
- EchoBackdoor: Uses ICMP “ping” traffic to evade detection and maintain covert command and control (C2).
- SGSN Emulator: Emulates core telecom nodes to bypass network firewalls and facilitate lateral movement.
- ChronosRAT: A flexible remote access trojan supporting numerous adversary activities, from shell execution to traffic proxying.
- NoDepDNS/MyDns: Golang-based DNS backdoor that listens for attacker commands on UDP port 53.
- Use of common penetrative tools such as Microsocks, FScan, and ProxyChains in conjunction with these custom implants.
Privilege Escalation was frequently achieved by exploiting known Linux/UNIX vulnerabilities, specifically CVE-2016-5195 (“Dirty COW”), CVE-2021-4034 (“PwnKit”), and CVE-2021-3156 (“Baron Samedit”).
Defense Evasion
Operational security played a crucial role in these campaigns. The adversary routinely deleted authentication and operational logs, removed unnecessary binaries, and camouflaged malicious processes using plausible system or telecom-related names. Additionally, legitimate administrative tools (e.g., sed, utmpdump) were used to cloak activities, and security features such as SELinux were temporarily disabled to allow for uninterrupted malware operation.
Attribution and Context
Investigators identified significant overlap between the techniques of CL-STA-0969 and those of other established state-linked espionage groups, including Liminal Panda, LightBasin (UNC1945), UNC3886, and UNC2891. The maturity and scope of tools deployed further reinforce the group’s status as a highly capable, state-directed adversary.
Impact and Recommendations
While conclusive evidence of widescale data theft has not surfaced, the establishment of resilient command infrastructure and advanced backdoors highlights CL-STA-0969’s intent to maintain control and enable future surveillance or operations.
Recommendations for Telecom Operators
- Strengthen SSH authentication mechanisms and broaden detection for brute-force attacks.
- Audit and monitor pluggable authentication modules (PAM) on all Linux systems.
- Monitor for anomalous DNS and ICMP activity indicative of covert backdoors.
- Patch known Linux/UNIX privilege escalation vulnerabilities urgently.
- Deploy behavioral detection tools to catch stealthy, process-masquerading malware.
