An ongoing cyber espionage campaign linked to a Chinese threat actor has infiltrated telecommunications networks to conduct surveillance on government entities. This operation, attributed to the group known as Red Menshen, involves embedding persistent and stealthy access mechanisms within crucial communication infrastructures, primarily across the Middle East and Asia. Active since at least 2021, Red Menshen is also referred to as Earth Bluecrow, DecisiveArchitect, and Red Dev 18.
According to Rapid7, a cybersecurity firm, the group’s covert methods include some of the most discreet digital sleeper cells seen within telecom networks. The campaign employs a variety of sophisticated tools, such as kernel-level implants, hidden backdoors, credential-stealing utilities, and cross-platform command systems. A key component of their toolkit is a Linux backdoor known as BPFDoor.
BPFDoor: A Hidden Threat in Telecom Networks
BPFDoor distinguishes itself from traditional malware by avoiding the exposure of listening ports or apparent command-and-control channels. Instead, it leverages the Berkeley Packet Filter (BPF) to monitor network traffic directly within the kernel, activating only when it detects a specific trigger packet. This method creates an elusive backdoor within the operating system, going unnoticed by typical security measures.
The cyber attackers begin by targeting internet-facing components such as VPNs, firewalls, and web platforms from major providers like Cisco, Juniper Networks, and Fortinet. Once access is established, the attackers deploy Linux-compatible beacon frameworks such as CrossC2 to conduct further exploitation. Additional tools like Sliver, TinyShell, and various credential-harvesting mechanisms are also utilized to facilitate movement within the network.
The Role of BPFDoor in Red Menshen’s Strategy
Central to the operations of Red Menshen is BPFDoor, which functions through two primary components. The first is a passive backdoor installed on compromised systems to detect incoming traffic for a predefined packet, activating a remote shell upon receipt. The second component is a controller managed by the attackers, capable of sending specially formatted packets to activate implants or opening local listeners for shell connections.
Additionally, BPFDoor artifacts support the Stream Control Transmission Protocol (SCTP), allowing the adversaries to monitor telecom-specific protocols and potentially track individuals. This capability highlights BPFDoor’s function as more than just a backdoor; it acts as an access layer deeply embedded within telecom networks, providing long-term, low-noise monitoring capabilities.
Advanced Evasion Techniques and Implications
The discovery of a new BPFDoor variant reveals advanced evasion techniques, such as concealing trigger packets within legitimate HTTPS traffic and employing novel parsing mechanisms. These features allow BPFDoor to remain undetected in modern enterprise and telecom environments for extended periods.
Moreover, this variant introduces a lightweight communication method using the Internet Control Message Protocol (ICMP) for interactions between infected hosts. These developments indicate a significant evolution in cyber adversary tactics, with attackers embedding implants deeper into computing infrastructures, targeting operating system kernels over user-space malware.
The implications of such sophisticated cyber operations are profound, underscoring the vulnerabilities within telecom environments that combine diverse technological components. As threat actors blend into legitimate services and bypass traditional endpoint monitoring, the need for enhanced cybersecurity measures becomes increasingly critical.
