Threat group UAT-7290, which has been tracked by Cybersecurity Researcher Cisco Talos, is comprised of suspected Chinese state-sponsored actors and targets ASIA & EASTERN EUROPE telecommunications infrastructure for espionage. In 2022 UAT-7290 began operations and has continued to develop its reconnaissance capabilities, as well as use specific families of malware such as Rush Drop, Drive Switch and Silent Raid to infiltrate its targets.
Cisco researchers claim that UAT-7290 collect information on potential targets and act as both a direct attack (i.e., espionage) actor and a provider of initial access to other threat actors.
Although most UAT-7290’s espionage has been against telecommunications providers in ASIA, it has also begun to target telecommunications providers in EASTERN EUROPE & expanded its operational scope since CA 2022.
UAT-7290 has been found to use a type of infrastructure called Operational Relay Boxes (ORB) to establish a presence on target’s networks. These ORBs are intended to provide other China-linked threat actors the opportunity to incorporate these locations into their continuing operations without being detected.
Malware Arsenal or Malware Command Centre
According to the information presented in the document associated with UAT7290, the malware arsenal is a hybrid of open-source and customised tools designed to take advantage of one-off vulnerabilities found in Edge Networking Devices. In addition to the malware previously mentioned, there are Windows-based malware developed by the same individual that resemble either RedLeaves, (BugJuice) or ShadowPad, historically attributed to state-sponsored actors from China.
The majority of UAT7290's Tools however, utilize a malware arsenal built on Linux-based platforms and includes:
1. RushDrop (ChronosRAT) - A dropper and the first step of the infection chain.
2. DriveSwitch - A secondary loader that loads the SilentRaid from the UAT7290 malware arsenal initiation chain.
3. SilentRaid (MystRodX) - A C++ implant providing Persistent, Remote Shell Execution, Port Forwarding, File Operations, and Modular Plugin Support for further expansion of the use-case for the Ransomware campaigns where operations are ongoing.
Evidence of UAT7290's attribution to other Chinese state-sponsored actors is documented in previous research, performed by QiAnXin XLab, who have classified the ChronosRAT malware as part of the same Variant CL-STA-0969 track, by Palo Alto Networks, Unit 42.
Cisco's Talos and others, have identified the presence of a backdoor known as Bulbature, to be used to convert compromised edge devices into Operational Relay Boxes. The backdoor named Bulbature was the first documented publically by Sekoia in October of 2024.
The operational evolution and overlapping infrastructure and tactics in use, help attribute UAT7290 to state-sponsored actors from China, to companies such as Stone Panda, and Red Foxtrot (Nomad Panda). This allows for possible dependencies on or collaboration of actors grouped under one umbrella, otherwise known as a broader ecosystem.
How They Get In
Threat actors will leverage Internet-connected devices to gain entry into your network using one or more of the following techniques:
1. One-day exploits
2. SSH Password Brute-force Attacks
3. Publicly available proof of concept exploit code
Rather than building their own zero-day exploits, it appears that UAT-7290 is rapidly using publicly available PoCs to cause maximum operational impact with little effort on the part of the threat actor.
Why This Is Important
The recent campaigns are indicative of a trend in which state-sponsored espionage actors are not only using intelligence-gathering techniques to obtain information from their targets, but are also leveraging elements of these campaigns to build backdoor access for themselves and other threat actors with whom they share an alliance.
Telecommunications providers and operators of critical infrastructure systems are particularly at risk from these intrusions and are therefore strongly encouraged to closely monitor edge devices, quickly apply updates and patches, and utilize anomaly-based detection techniques to detect intruders early in the attack chain.
Source: The Hacker News