Full Report
A China-linked advanced threat group named Weaver Ant spent more than four years in the network of a telecommunications services provider, hiding traffic and infrastructure with the help of compromised Zyxel CPE routers. [...]
Analysis Summary
# Threat Actor: WEAVER ANT
## Attribution & Identity
Chinese state-sponsored threat actor. Attribution is based on the use of Zyxel router models popular in specific geographic regions, the deployment of backdoors previously linked to Chinese threat groups, and operating predominantly during GMT +8 business hours.
## Activity Summary
The threat actor maintained long-term access to a victim's telecommunications network for approximately four years, conducting extensive cyber espionage operations. Their primary goal was network intelligence gathering, credential harvesting, and maintaining continuous access to telecom infrastructure.
## Tactics, Techniques & Procedures
- **Operation within Network Segments:** Used techniques enabling operations on servers across different network segments, including isolated internal servers without direct internet access.
- **Lateral Movement:** Moved laterally using Server Message Block (SMB) shares and high-privileged accounts.
- **Credential Persistence:** Exploited highly privileged accounts that maintained the same NTLM hashes/passwords for years, often authenticated via NTLM hashes.
- **Evasion/Stealth:** Disabled crucial security logging mechanisms like Event Tracing for Windows (ETW) patching and implemented AMSI bypasses (by overwriting the ‘AmsiScanBuffer’ function in ‘amsi.dll’).
- **Web-shell Tunneling:** Deployed web-shells for command and control/data exfiltration.
- **Data Collection:** Collected configuration files, access logs, and credential data to map the network environment.
- **Initial Access Mechanism (Implied):** Used techniques facilitating payload execution from initial access points.
## Targeting
- Sectors: Telecommunications (Telco Network)
- Geography: Not explicitly detailed, but operating hours suggest an Asia-Pacific focus (GMT +8).
- Victims: Internal servers within a telecommunications provider network.
## Tools & Infrastructure
- **Malware Families Used:** Previously linked backdoors associated with Chinese threat groups.
- **Infrastructure (C2, domains, IPs):** Used web-shell tunneling over operational gateways that were accessible via the web to reach C2 or internal targets. Specific C2 infrastructure was not detailed in the provided text.
## Implications
Weaver Ant is a highly skilled, persistent state-sponsored actor focused on strategic espionage gathering (network intelligence and credentials), rather than immediate financial gain or data theft. The four-year compromise window demonstrates sophisticated operational security and a deep commitment to long-term intelligence collection from critical infrastructure like telcos.
## Mitigations
- Apply **Internal network traffic controls** to limit lateral movement between segments.
- Implement **Least Privilege Principles** across all user accounts.
- **Frequently rotate user credentials,** specifically targeting those that use long-standing NTLM hashes.
- **Enable full logging** for IIS and PowerShell to aid detection.
- Utilize **static detection tools and known signatures** to catch the reuse of outdated or known web shell variants.