VTA-004529 – State-sponsored Threat Actors hold Espionage campaign in Southeast Asian Telecommunications Networks

An espionage campaign targeting Telecommunications organizations in Southeast Asia dubbed CL-STA-0969 was discovered. The threat actors utilized SSH brute forcing for initial access, and held remote control over their victims’ networks through several backdoor and tunnelling scripts.

Over 10 months, attackers had remained concealed in these networks through careful Operational Security by removing any traces of activity, including logs and tools. Despite having remote access and using tools that could collect location data from mobile devices, no evidence of data exfiltration or communication between the attackers and devices within the network were discovered. This is possibly due to their meticulous OPSEC.

After initial compromise of an internal server through brute forcing, attackers would move laterally throughout the network using credentials harvested with the AuthDoor PAM module. From there they would set up their backdoor with tunnelling software to bypass firewall restrictions, and perform privilege escalation to wipe evidence of activity.

Attackers in this campaign used a wide variety of public and custom tools associated with different groups of known threat actors. Security researchers noted that the threat actor had a “deep understanding of telecommunications protocols and infrastructure,” and their techniques “revealed a calculated effort to remain stealthy.”

Severity:
Medium

Attack Surface:
Endpoint, Infrastructure, Remote Access Service

Tactics:
Command and Control, Credential Access, Defense Evasion, Discovery, Initial Access, Lateral Movement, Persistence, Reconnaissance

Techniques:
T1110.001 – Password Guessing
T1059.004 – Unix Shell
T1070.001 – Clear Windows Event Logs
T1556.003 – Pluggable Authentication Modules
T1016 – System Network Configuration Discovery
T1021.004 – SSH
T1572 – Protocol Tunneling

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/688f374eb4b65760f66ebfc6

References:
1. https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/
2. https://thehackernews.com/2025/08/cl-sta-0969-installs-covert-malware-in.html?m=1

SuperPRO’s Threat Countermeasures Procedures:
1. Enforce Strong Password Policies: Enforce policies to prevent SSH brute force attacks for initial access.
2. Monitor Logons: Monitor for suspicious logons via SSH.
3. Monitor Installations: Monitor user downloads for suspicious software and scripts related to reconnaissance and tunnelling.
4. Monitor Network Traffic: Monitor traffic for tunnelling.
5. Deploy EDR: Deploy advanced EDR solutions capable of detecting unknown or custom malware
6. Update and Patch Systems: Update and patch UNIX systems to prevent privilege escalation techniques from the campaign.

Contributed by: Esther