Full Report
Researchers from Sygnia have responded to a stealthy and persistent China-linked threat actor targeting a major telecommunications company... The post Sygnia details Weaver Ant tactics in battle against China-linked cyber threats on telecoms appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Weaver Ant
## Attribution & Identity
* **Identification:** A stealthy and persistent China-linked threat actor.
* **Aliases/Associations:** Tracked by Sygnia as **Weaver Ant**. Exhibits characteristics typical of a China-nexus targeted threat group.
## Activity Summary
Weaver Ant targeted a major telecommunications company in Asia, aiming to gain and maintain continuous access for cyber espionage and sensitive information collection. The group infiltrated the telecom provider using web shells, maintaining access for several years on one internal server. The remediation of the initial intrusion inadvertently exposed the operations of a second, distinct China-linked group also tracked as Weaver Ant. The group's malicious activities were primarily documented operating within the GMT +8 time zone, focusing on regular working days and avoiding weekends/holidays.
## Tactics, Techniques & Procedures
- **Initial Access/Persistence:** Reliance on web shells, specifically variants of the **China Chopper** web shell (including versions supporting AES encryption), deployed on externally facing servers (ASPX and PHP).
- **Evasion:** Utilized **keyword-based evasion** (e.g., using "password" and "key" as parameter names) to obscure payloads from WAFs, and deployed encrypted payloads that sometimes resulted in **payload truncation**.
- **Lateral Movement/C2:** Employed **tunneling processes** to facilitate remote code execution and lateral movement.
- **Infrastructure Concealment:** Used a **non-provisioned ORB network** primarily consisting of compromised **Zyxel CPE routers** (mostly VMG3625-T20A firmware) operated by Southeast Asian telecommunication providers to proxy traffic and pivot between telecom targets.
- **Infection:** Leveraged various techniques to load **trojanized DLLs** to infect systems.
- **Re-establishment:** Attempted to regain network access after initial remediation efforts, including re-enabling a disabled service account via a service account.
- **MITRE ATT&CK IDs:** Not explicitly listed in the text, but TTPs align with initial access (T1583.001 - Web Shells) and Command and Control (T1090 - Proxy).
## Targeting
* **Sectors:** Telecommunications.
* **Geography:** Asia (specifically targeting a major telecom provider), utilizing compromised infrastructure primarily from Southeast Asian providers.
* **Victims:** A major telecommunications company in Asia.
## Tools & Infrastructure
* **Malware Families:** China Chopper web shell variants (including AES encrypted versions), Trojanized DLLs.
* **Infrastructure:**
* Compromised **Zyxel CPE routers** (VMG3625-T20A firmware) forming an ORB network for proxying traffic.
* Externally facing web servers hosting PHP and ASPX shells.
## Implications
Weaver Ant represents a sophisticated, state-sponsored-like threat focused on long-term cyber espionage against critical infrastructure (telecom sector). Their years-long persistence, reliance on widely used but highly customizable malware like the China Chopper web shell, and sophisticated infrastructure blending compromised client-premises equipment (CPE) highlights the deep risk posed by persistent, targeted nation-state-aligned groups.
## Mitigations
* Establish resilient defense strategies combining continuous monitoring and proactive response mechanisms.
* Implement periodic and systematic threat hunts.
* Enforce stringent traffic controls and system hardening, especially for legacy and public-facing devices.
* Minimize privileges for web-service accounts, restricting them to only essential permissions.
* Control management traffic using ACLs and firewall rules to restrict flow (especially SMB and HTTP/S) between web servers and internal systems.
* Enforce credential hygiene (implement LAPS, gMSA, or PIM for credential rotation).
* Enhance detection capabilities using EDR/XDR solutions to monitor memory for obfuscated in-memory web shells.
* Strengthen web security by fine-tuning WAFs and logging systems to detect obfuscated code signatures and behavioral patterns of threats like China Chopper.