Cybercrime , Fraud Management & Cybercrime , Social Engineering

Hacking Group Conducted Espionage Campaign Targeting Telcos

McAfee: RedDelta Group Used Fake Job Website to Target Employees
Hacking Group Conducted Espionage Campaign Targeting Telcos

A hacking group used a fake Huawei careers website to lure telecommunications workers and infect the job seekers' devices with malware that could steal information, says McAfee's Advanced Threat Research Strategic Intelligence team.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

McAfee, which dubbed the campaign Operation Diànxùn, which translates from Chinese to "telecommunications," says researchers first noticed the activity in August 2020 and have spotted it as recently as last week. But the malicious website has been recently taken down.

The researchers attribute the operation to the advanced persistent threat group RedDelta, also known as Mustang Panda and TA416, which has connections to China. That's because the tactics, techniques and procedures in this campaign are similar to earlier attacks by the gang (see: Chinese Hacking Group Rebounds With Fresh Malware).

In September 2020, Recorded Future's Insikt Group noted that RedDelta's attacks at that time were in line with Chinese government interests. The attacks included several network intrusions and phishing attempts targeting the Roman Catholic Church.

"While the initial vector for the infection is not entirely clear, we believe with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware," wrote Thomas Roccia, a security researcher on the McAfee Advanced Threat Research team.

Using McAfee telemetry, the team identified telecommunications targets in the U.S., Southeast Asia, Europe, Germany, Vietnam and India.

"We believe with a moderate level of confidence that the motivation behind this specific campaign has to do with the ban of Chinese technology in the global 5G rollout," Roccia says. The attackers apparently are aiming to steal sensitive or secret information concerning 5G technology, he adds.

"We have no evidence of stolen information, but it is possible that the attackers could use the fake flash application installed on victims' machines to move laterally across their employers' organizations to impact other systems and resources," Roccia says.

Phishing Website

The fake domain found by McAfee drew in victims by mimicking the appearance of the employment page on Chinese telecom hardware vendor Huawei's website and using a URL - hxxp:// - that is very close to the web address for the legitimate Huawei careers page.

Once a victim was on the page, the attacker enticed them to activate a malicious Flash application that downloaded the malware onto devices. In some cases, the malicious code includes a Cobalt Strike backdoor, the report says.

If the malware was successfully downloaded, the last phase of the attack involved creating a backdoor for remote control of the victim's device through a command-and-control server and installing a Cobalt Strike Beacon, the report says.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.