Full Report
A major telecommunications company located in Asia was allegedly breached by Chinese state-sponsored hackers who spent over four years inside its systems, according to a new report from incident response firm Sygnia. The cybersecurity company is tracking the activity under the name Weaver Ant, describing the threat actor as stealthy and highly persistent. The name of the telecom provider was not
Analysis Summary
# Incident Report: Weaver Ant Persistent Cyber Espionage Campaign Against Asian Telecom
## Executive Summary
A major, undisclosed telecommunications company in Asia was compromised by the sophisticated, state-sponsored threat actor tracked as Weaver Ant. The attackers maintained a persistent foothold for over four years, utilizing web shells and tunneling to conduct cyber espionage and collect sensitive information. The incident highlights the threat actors' advanced evasion techniques, including in-memory execution and patching of indigenous security features like ETW and AMSI.
## Incident Details
- **Discovery Date:** Not explicitly detailed, but inferred to be recent based on the Sygnia report release.
- **Incident Date:** Began over four years prior to the report.
- **Affected Organization:** Major telecommunications company (Name undisclosed).
- **Sector:** Telecommunications.
- **Geography:** Asia.
## Timeline of Events
### Initial Access
- **Date/Time:** Over four years prior to detection.
- **Vector:** Exploitation of a public-facing application.
- **Details:** Attackers dropped two web shells: an encrypted variant of China Chopper and a previously undocumented, in-memory tool dubbed INMemory.
### Lateral Movement
- **Details:** Attackers used a recursive HTTP tunnel tool, delivered via command-and-control encrypted traffic, to facilitate lateral movement primarily over Server Message Block (SMB).
### Data Exfiltration/Impact
- **Details:** The primary goal was cyber espionage, involving the collection of sensitive information from the compromised network over the four-year period.
### Detection & Response
- **How it was discovered:** Discovered and reported by incident response firm Sygnia.
- **Response actions taken:** Not explicitly detailed, but the report notes the threat actor adapted TTPs to evade evolving network changes.
## Attack Methodology
- **Initial Access:** Exploitation of a public-facing application to deploy web shells (China Chopper variant and INMemory).
- **Persistence:** Use of web shells and tunneling to maintain continuous unauthorized access.
- **Privilege Escalation:** Not explicitly detailed, but reconnaissance identified high-privilege accounts.
- **Defense Evasion:** Patching Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI).
- **Credential Access:** Reconnaissance against Active Directory to identify high-privilege accounts.
- **Discovery:** Executed reconnaissance commands against the Active Directory environment.
- **Lateral Movement:** Recursive HTTP tunneling over SMB.
- **Collection:** Gathering sensitive information for cyber espionage purposes.
- **Exfiltration:** Facilitated via encrypted traffic through the web shell tunnel.
- **Impact:** Espionage and long-term unauthorized intelligence gathering.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Sensitive information related to telecommunications operations and infrastructure.
- **Operational:** Long-term unauthorized presence (4+ years) indicates significant compromise of security posture.
- **Reputational:** Potential reputational damage due to state-sponsored espionage.
## Indicators of Compromise
- **Network indicators:** Use of unauthorized Recursive HTTP Tunnels; Traffic proxied via an Operational Relay Box (ORB) network potentially involving compromised Zyxel routers.
- **File indicators:** Encrypted China Chopper web shell; INMemory web shell (decoding and executing C# code in memory via `eval.dll`).
- **Behavioral indicators:** Use of System.Management.Automation.dll to execute PowerShell without invoking PowerShell.exe; Patching/disabling ETW and AMSI mechanisms.
## Response Actions
- **Containment measures:** Not detailed in the context provided, but typically involve isolating affected systems and blocking identified C2 communication.
- **Eradication steps:** Not detailed, but would involve removal of all web shells (China Chopper, INMemory) and associated persistence mechanisms.
- **Recovery actions:** Not detailed, but would involve comprehensive credential resets and forensic analysis of the 4-year intrusion timeline.
## Lessons Learned
- **Key takeaways:** Attackers associated with China-nexus groups share tools, infrastructure, and manpower, enabling highly persistent, tailored intrusions. In-memory execution tools (like INMemory) severely complicate forensic analysis.
- **What could have been done better:** Improved monitoring capabilities for low-and-slow, in-memory threats; enhanced detection of post-exploitation techniques such as ETW/AMSI patching.
## Recommendations
- Implement network segmentation to limit the effectiveness of SMB-based lateral movement.
- Adopt EDR solutions capable of detecting process injection and API hooking techniques used to bypass AMSI/ETW.
- Regularly audit externally facing applications for vulnerabilities leading to remote code execution.
- Review and secure all internet-facing management interfaces (e.g., Zyxel routers) that could be used for proxying/ORB infrastructure.