Microsoft: Mystery Group Targeting Telcos Linked to Chinese APTs

Analysis shows evidence the previously unknown Sandman group shares backdoor malware with various Chinese APT groups.

Chinese map on motherboard to illustrate China cybercrime
Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

Common malware has led a group of researchers to link the once mysterious Sandman threat group, known for cyberattacks against telecom service providers across the world, to a growing web of Chinese government-backed advanced persistent threat (APT) groups.

The threat intelligence assessment is the result of a collaboration between Microsoft, SentinelLabs, and PwC, and offers just a small glimpse into the general complexity and breadth of the Chinese APT threat landscape, according to the researchers.

Sandman was first identified in August, following a series of cyberattacks on telcos across the Middle East, Western Europe, and South Asia, which notably used a backdoor called "LuaDream" based on the Lua programming language, as well as a backdoor called "Keyplug," implemented in C++.

However, SentinelOne said its analysts weren't able to identity the threat group's origins — until now.

"The samples that we analyzed do not share straightforward indicators that would confidently classify them as closely related or originating from the same source, such as use of identical encryption keys or direct overlaps in implementation," the new research found. "However, we observed indicators of shared development practices and some overlaps in functionalities and design, suggesting shared functional requirements by the operators. This is not uncommon in the Chinese malware landscape."

The new report says Lua development practices, as well as adoption of the Keyplug backdoor, appear to have been shared with China-based threat actor STORM-08/Red Dev 40, similarly known for targeting telcos in the Middle East and South Asia.

The report added that a Mandiant team first reported the Keyplug backdoor being used by the known Chinese group APT41 back in March 2022. In addition, Microsoft and PwC teams found the Keyplug backdoor was being passed around multiple additional Chinese-based threat groups, the report added.

The latest Keyplug malware gives the group a new advantage, according to the researchers, with new obfuscation tools.

"They distinguish STORM-0866/Red Dev 40 from the other clusters based on specific malware characteristics, such as unique encryption keys for KEYPLUG command-and-control (C2) communication, and a higher sense of operational security, such as relying on cloud-based reverse proxy infrastructure for hiding the true hosting locations of their C2 servers," according to the report.

Analysis of the C2 setup and both LuaDream and Keyplug malware strains showed overlaps, "suggesting shared functional requirements by their operators," the researchers added.

Growing, effective collaboration between an expanding maze of Chinese APT groups requires similar knowledge-sharing among the cybersecurity community, the report added.

"Its constituent threat actors will almost certainly continue to cooperate and coordinate, exploring new approaches to upgrade the functionality, flexibility, and stealthiness of their malware," the report said. "The adoption of the Lua development paradigm is a compelling illustration of this. Navigating the threat landscape calls for continuous collaboration and information sharing within the threat intelligence research community."

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights