A previously unknown threat actor is targeting telecommunications companies in the Middle East in what appears to be a cyber-espionage campaign similar to many that have hit telecom organizations in multiple countries in recent years.
Researchers from SentinelOne who spotted the new campaign said they're tracking it as WIP26, a designation the company uses for activity it has not been able to attribute to any specific cyberattack group.
In a report this week, they noted that they had observed WIP26 using public cloud infrastructure to deliver malware and store exfiltrated data, as well as for command-and-control (C2) purposes. The security vendor assessed that the threat actor is using the tactic — like many others do these days — to evade detection and make its activity harder to spot on compromised networks.
"The WIP26 activity is a relevant example of threat actors continuously innovating their TTPs [tactics, techniques and procedures] in an attempt to stay stealthy and circumvent defenses," the company said.
Targeted Mideast Telecom Attacks
The attacks that SentinelOne observed usually began with WhatsApp messages directed at specific individuals within target telecom companies in the Middle East. The messages contained a link to an archive file in Dropbox that purported to contain documents on poverty-related topics pertinent to the region. But in reality, it also included a malware loader.
Users tricked into clicking on the link ended up having two backdoors installed on their devices. SentinelOne found one of them, tracked as CMD365, using a Microsoft 365 Mail client as its C2, and the second backdoor, dubbed CMDEmber, using a Google Firebase instance for the same purpose.
The security vendor described WIP26 as using the backdoors to conduct reconnaissance, elevate privileges, deploy addition malware — and to steal the user's private browser data, information on high-value systems on the victim's network, and other data. SentinelOne assessed that a lot of the data that both backdoors have been collecting from victim systems and network suggest the attacker is prepping for a future attack.
"The initial intrusion vector we observed involved precision targeting," SentinelOne said. "Further, the targeting of telecommunication providers in the Middle East suggests the motive behind this activity is espionage-related."
Telecom Companies Continue to Be Favorite Espionage Targets
WIP26 is one of many threat actors that have targeted telecom companies over the past few years. Some of the more recent examples — like a series of attacks on Australian telecom companies such as Optus, Telestra, and Dialog — were financially motivated. Security experts have pointed to those attacks as a sign of increased interest in telecom companies among cybercriminals looking to steal customer data, or to hijack mobile devices via so-called SIM swapping schemes.
More often though, cyberespionage and surveillance have been primary motivations for attacks on telecommunications providers. Security vendors have reported several campaigns where advanced persistent threat groups from countries like China, Turkey, and Iran have broken into a communication provider's network so they could spy on individuals and groups of interest to their respective governments.
One example is Operation Soft Cell, where a China-based group broke into the networks of major telecommunications companies around the world to steal call data records so they could track specific individuals. In another campaign, a threat actor tracked as Light Basin stole Mobile Subscriber Identity (IMSI) and metadata from the networks of 13 major carriers. As part of the campaign, the threat actor installed malware on the carrier networks that that allowed it to intercept calls, text messages, and call records of targeted individuals.