Middle East telecommunications companies are being targeted by a new cyber-espionage campaign by an unknown threat actor. This follows a pattern of similar attacks on telecom organisations in multiple countries over the past few years.
The campaign has been identified by SentinelOne as WIP26, a name given to activity that cannot be attributed to a specific cyber-attack group.
In their report, SentinelOne researchers revealed that WIP26 is using public cloud infrastructure for distributing malware, storing stolen data, and as a command-and-control centre. This is a common tactic used by threat actors to avoid detection and make it more difficult to detect their activity on compromised networks.
“The WIP26 activity is a relevant example of threat actors continuously innovating their TTPs in an attempt to stay stealthy and circumvent defences,” the company said in its report.
“The use of public Cloud infrastructure for malware hosting, data exfiltration, and C2 purposes aims at making malicious traffic look legitimate. This gives attackers the opportunity to conduct their activities unnoticed.”
Middle East telcos – a prime target
SentinelOne observed a series of attacks that targeted specific individuals within telecom companies in the Middle East. These attacks typically began with WhatsApp messages that contained a Dropbox link to an archive file. While the link was supposed to contain information on poverty-related topics, it also included a malware loader.
When users clicked on the link, two backdoors were installed on their devices. The first backdoor, known as CMD365, used a Microsoft 365 Mail client as its C2, while the second backdoor, called CMDEmber, utilized a Google Firebase instance for the same purpose.
According to SentinelOne, the backdoors were used by the attacker, dubbed WIP26, for a range of purposes, including conducting reconnaissance, elevating privileges, deploying additional malware, and stealing private browser data, high-value system information, and other data. The security vendor noted that much of the data collected by both backdoors suggests that the attacker is preparing for a future attack.
“The initial intrusion vector we observed involved precision targeting,” said SentinelOne.
“Further, the targeting of telecommunication providers in the Middle East suggests the motive behind this activity is espionage-related.”
Over the last few years, telecom companies have been targeted by numerous threat actors, including WIP26. This has led security experts to highlight the heightened interest among cybercriminals in stealing customer data and hijacking mobile devices. However, cyberespionage and surveillance have been the primary motivations for most attacks on telecommunications providers.
