China-linked advanced persistent threat (APT) groups have been intensifying their cyber campaigns against telecommunications networks in South America since 2024. These cyber adversaries have been deploying sophisticated malware across Windows, Linux, and network edge devices, according to cybersecurity insights from Cisco Talos.
Identifying the Cyber Threat Actors
The threat is primarily attributed to a group tracked as UAT-9244 by Cisco Talos, which shares tactical similarities with the FamousSparrow group. FamousSparrow itself is known to be linked with Salt Typhoon, another espionage entity with ties to China. Despite these connections, definitive evidence linking UAT-9244 directly to Salt Typhoon remains elusive.
The analysis by Cisco Talos highlights the deployment of three novel malware strains: TernDoor, PeerTime, and BruteEntry. These are used to infiltrate and control systems running varying operating systems and devices, further underlining the sophistication of these attacks.
Technical Breakdown of the Malicious Implants
TernDoor, one of the identified malware strains, specifically targets Windows systems. It uses a technique called DLL side-loading, exploiting legitimate executables to execute malicious payloads stealthily. This backdoor, in operation since November 2024, maintains persistence through scheduled tasks or registry keys and includes unique features like a Windows driver to control process states.
On the Linux front, the PeerTime backdoor introduces a peer-to-peer approach, compiled for multiple architectures such as ARM and MIPS. Its deployment involves a shell script that checks for Docker installations, subsequently executing the malware if Docker is detected. PeerTime variants, written in both C/C++ and Rust, use the BitTorrent protocol to communicate with command-and-control (C2) servers.
Network Edge Devices Under Siege
The cyber threat extends to network edge devices through the use of BruteEntry, a tool designed to transform these devices into proxy nodes. By leveraging a shell script, the attackers deploy Golang-based components to initiate brute-force attacks on various servers like Postgres and SSH. Successful intrusions report back to the C2 infrastructure, highlighting the threat’s operational focus on widespread network compromise.
Conclusion: Ongoing Vigilance Required
The persistent threat posed by these China-linked cyber operations underscores the need for ongoing vigilance and enhanced cybersecurity measures within the telecommunications sector. As cyber threats evolve, organizations must remain proactive in their defenses to safeguard critical infrastructure from sophisticated adversaries.
