Telecommunications organizations in Southeast Asia are facing a significant threat from a state-sponsored hacking group known as CL-STA-0969, according to a report by Palo Alto Networks Unit 42. The group has been linked to multiple cyber incidents aimed at critical telecommunications infrastructure across the region from February to November 2024.
The attacks are characterized by the deployment of various tools designed to establish remote access to compromised networks, such as Cordscan, a tool capable of collecting location data from mobile devices. However, despite the sophistication of the approaches used, Unit 42 found no evidence of data exfiltration from the compromised systems. The organization’s researchers, Renzon Cruz, Nicolas Bareil, and Navin Thomas, emphasized that the threat actor maintained high operational security, employing defense evasion techniques to avoid detection.
CL-STA-0969 is believed to share significant overlaps with another hacking group known as Liminal Panda, which itself has been involved in espionage campaigns against telecommunications entities in South Asia and Africa since at least 2020. This connection highlights the potential for broader regional security implications, as Liminal Panda is known for its intelligence-gathering objectives from organizations in the telecommunications sector.
The report notes that some of Liminal Panda’s tradecraft has been linked to other groups such as LightBasin, active since 2016 and reportedly focused on the telecom sector, further complicating the attribution of these malicious activities. In light of these ongoing threats, the researchers underscored the need for consistent cybersecurity measures that draw upon lessons learned from multiple attack vectors.
In their investigations, the cybersecurity experts identified a range of malicious software, including AuthDoor and GTPDOOR, which target specific vulnerabilities in telecom networks. These tools allow the threat actors to maintain persistent access while clearing logs and executing commands efficiently. Such operational strategies enable CL-STA-0969 to remain under the radar while continuing its cyber operations.
With the threat landscape continuously evolving, cybersecurity experts stress the importance of vigilance and proactive defense measures. CL-STA-0969’s exploits underscore the crucial intersection of cybersecurity and national security in today’s interconnected world, urging telecom entities to prioritize robust cybersecurity practices.