Chinese Hackers Remained Inside an Asian Telecom Firm for 4+ Years

A shocking discovery has been made by cybersecurity vendor Sygnia, revealing that a suspected Chinese hacking group, known as Weaver Ant, remained undetected inside a major Asian telecommunications firm for over four years. The revelation comes at a time when cybersecurity experts are sounding the alarm about the growing threat of state-sponsored hackers and their increasing sophistication.

According to Sygnia, Weaver Ant infiltrated the telecom company by exploiting vulnerabilities in Zyxel CPE series home routers. Once inside, the group installed web shells or malicious computer scripts, giving them a backdoor to maintain remote access to compromised web servers at the telecom provider. The web shells were designed to evade detection for so long because they used specific keywords such as "password," "key," and "pass" to deliver payloads.

Many web application firewalls are programmed to automatically redact or mask these values in network logs, making it difficult to monitor or analyze the transferred data. To further obscure its activities, Weaver Ant would also transmit payloads to the web shells that exceeded the character limit supported by the firewall, leading to the truncation of logged data. This limitation prevented a complete forensic reconstruction of the payload, further complicating the investigation.

The incident is the latest case of suspected Chinese hackers breaching a company's network and remaining undetected for long stretches of time, free to poke around sensitive data. Earlier this month, security vendor Dragos detailed a separate breach involving Chinese hackers sitting inside a Massachusetts public utility company for around 300 days.

Ironically, Sygnia uncovered Weaver Ant's activities while working to stop a separate Chinese hacking group that had been inside the telecommunications firm's network. The remediation efforts unintentionally disabled an account that Ant Weaver was using. Ant Weaver then re-enabled the account, which raised a red flag. "Upon investigation, Sygnia determined that the account had been previously used by Weaver Ant," the company said.

"Notably, the activity originated from a server that had not been previously identified as compromised. This prompted a large-scale forensic investigation." To stop Weaver Ant, Sygnia used a monitoring process to automate the decryption of the traffic coming through the Chinese hacking group's web shells. This led the company to identify "a large-scale operation with persistency mechanisms deployed on tens of servers," it said.

Sygnia attributes the intrusion to Chinese hackers because the tools and web shells they used were previously connected to other Chinese hacking groups. Weaver Ant also operates during business hours in the China time zone, which is a deliberate attempt to avoid detection.

This incident comes as at least nine US telecom firms were hit by "Salt Typhoon" hackers last year. Hackers targeted unnamed specific individuals who were "primarily involved in government or political activity," officials said. The growing threat of state-sponsored hackers highlights the need for increased vigilance and cooperation between governments, industries, and cybersecurity experts to combat this evolving threat.