Full Report
A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe. The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop
Analysis Summary
# Threat Actor: UAT-7290
## Attribution & Identity
* **Attribution:** China-nexus threat actor.
* **Known Aliases/Associated Groups:**
* CL-STA-0969 (tracked by Palo Alto Networks Unit 42).
* Shares tactical and infrastructure overlaps with Stone Panda and RedFoxtrot (Nomad Panda).
## Activity Summary
* **Active Since:** At least 2022.
* **Primary Focus:** Espionage-focused intrusions.
* **Operational Profile:** Identified as having a dual role: performing espionage and establishing Operational Relay Box (ORB) nodes, which may be used by other China-nexus actors.
* **Recent Activity:** Initially targeted telecommunications providers but has recently branched out to strike organizations in Southeastern Europe.
* **Pre-Attack Phase:** Performs extensive technical reconnaissance of target organizations before initiating attacks.
## Tactics, Techniques & Procedures
* **Initial Access:** Leverages payloads for 1-day vulnerabilities in popular edge networking products, and utilizes target-specific SSH brute force against public-facing edge devices. Appears to rely on publicly available proof-of-concept exploit code.
* **Reconnaissance:** Extensive technical reconnaissance prior to intrusion.
* **Privilege Escalation:** Conducted post-compromise to escalate privileges on compromised systems.
* **Malware Deployment & Use:** Relies on a broad combination of custom and open-source malware.
* **Specific TTPs Mentioned:**
* Establishment of Operational Relay Box (ORB) nodes using the Bulbature backdoor.
## Targeting
* **Sectors:** Primarily Telecommunications providers.
* **Geography:** South Asia and Southeastern Europe.
* **Victims:** Entities within the telecommunications sector in the targeted regions.
## Tools & Infrastructure
* **Linux Malware Suite:**
* RushDrop (aka ChronosRAT): Dropper initiating the infection chain.
* DriveSwitch: Peripheral malware used to execute SilentRaid.
* SilentRaid (aka MystRodX/variant of ChronosRAT): C++-based implant establishing persistence, employing a plugin-like approach to open a remote shell, set up port forwarding, and perform file operations.
* **Windows Implants:**
* RedLeaves (aka BUGJUICE).
* ShadowPad (exclusively linked to Chinese hacking groups).
* **Infrastructure Tooling:**
* Bulbature: A backdoor engineered to transform compromised edge devices into ORBs.
* **Infrastructure (C2/Relaying):** Operational Relay Box (ORB) nodes.
## Implications
UAT-7290 serves as a critical enabler for other China-nexus actors by setting up ORB infrastructure, suggesting deep integration into the Chinese cyber espionage ecosystem. Their focus on telecommunications and edge devices indicates a high-value target strategy aimed at broad network access and communication interception.
## Mitigations
* **Patch Management:** Prioritize patching 1-day vulnerabilities, especially in edge networking products.
* **Access Control:** Harden public-facing edge devices against SSH brute force attacks and implement strong authentication mechanisms.
* **Network Defense:** Monitor for indicators of compromise related to Linux-based malware suites like RushDrop, DriveSwitch, and SilentRaid. Implement robust host-based detection specific to specialized persistence mechanisms like SilentRaid's plugin architecture.
* **Infrastructure Monitoring:** Look for unusual configuration changes on edge devices indicative of being repurposed into infrastructure nodes (e.g., deployment of backdoors like Bulbature).