The latest report from the cybersecurity company Sygnia has revealed that an Asian telecommunications company was infiltrated by a group of hackers associated with the Chinese Communist Party (CCP) as early as four years ago. These hackers breached the company’s internal network by hacking into home routers, using multi-layered encrypted backdoors and tunneling tools to collect a large amount of sensitive information. Their attack methods were likened to Russian nesting dolls, making them difficult to detect.
According to the report released by Sygnia on Monday, the hacker group known as “Weaver Ant” infiltrated home routers manufactured by Zyxel, using them as a gateway to penetrate the internal network of a certain “major telecommunications company.” They utilized advanced encryption technologies to remain hidden within the system for four years, gathering sensitive information.
Researchers did not disclose the name of the telecommunications company that was breached, nor did they specify the country it is based in. However, the home routers used as entry points by the hackers are mostly provided by telecommunications companies in Southeast Asian countries to household users.
Sygnia determined that this operation was likely orchestrated by hackers supported by the Chinese government based on factors such as the nature of the targets, the objectives of the attack, the hackers’ work hours, and their use of tools like “China Chopper,” a commonly used web shell by CCP hackers.
China Chopper is a tool frequently used by CCP hacker groups to remotely access victim servers and steal information. In another investigation, Sygnia discovered that a previously inactive account, which had been used by “Weaver Ant” before, was reactivated, prompting a large-scale investigation by researchers.
The investigation revealed the presence of a “variant of China Chopper” that had been dormant in the company’s internal servers for several years. This encrypted backdoor tool supported AES encryption and could bypass Web Application Firewalls (WAF) detection.
Additionally, the hackers employed a new web shell tool called “INMemory” that executes directly in memory, evading traditional antivirus and detection systems.
The report stated that the hackers targeted “major telecommunications providers in Asia,” a pattern consistent with CCP’s strategy of infiltrating regional infrastructure and collecting intelligence.
“The targeted industry and geographical location align with China’s (CCP) cyber warfare strategy,” the report stated.
Furthermore, the hacker group’s activities were primarily conducted during China’s “working hours,” with minimal to no activity observed during weekends and Chinese holidays, matching the typical work schedule of institutions within China. The hackers also exploited some system vulnerabilities commonly used by CCP hackers.
Oren Biderman, Sygnia’s Head of Incident Response, commented on the threat posed by nation-state hackers like Weaver Ant, stating that they are highly dangerous and persistent in infiltrating critical infrastructure to gather as much information as possible before being detected.
“Weaver Ant has been active in the compromised network for over four years, even after multiple cleanup operations, they continue to persist. They adapt their tactics based on changes in the network environment, maintaining access and collecting sensitive information,” he said.
Sygnia highlighted that the web shell tool designed by Weaver Ant featured high levels of concealment with multiple layers of encoding and encryption mechanisms, making it challenging for defense systems to recognize its true functionality.
The malicious module contained within INMemory is compressed, encoded, and only unpacked and loaded into memory at runtime. This means that the entire attack process leaves virtually no file traces, making it difficult for antivirus software and log records to detect.
Sygnia pointed out that the attack actions of Weaver Ant resemble Russian nesting dolls, with malicious programs being layered and encrypted, requiring specific backdoors to decrypt each layer before releasing the next wave of attack modules.
This design is extremely covert, requiring significant resources for researchers to painstakingly trace its behavior layer by layer. Despite Sygnia conducting a comprehensive cleanup operation, monitoring shows that Weaver Ant is still attempting to re-enter the telecommunications company’s network.
Sygnia stated that they are actively monitoring the group’s latest actions and are expected to release subsequent reports exposing their upgraded tools and techniques.