A notorious state-sponsored Chinese hacking crew has set it its sights on U.S. telecommunications companies.Known as RedMike, the well-known group has defied law enforcement efforts to cripple its back-end and halt its cyberattacks. This latest round of attacks target known flaws in Cisco devices.Administrators are advised to examine and update all internet-facing network appliances.Researchers with the Recorded Future Insikt Group said the hacking crew was recently found to be launching attacks on telecommunications providers around the world, including those in the U.S.Additionally, the RedMike crew has set its sights on university facilities around the world. Observed targets include Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the United States, and Vietnam.“RedMike has attempted to exploit more than 1,000 Cisco devices globally,” the researchers said.“The group likely compiled a list of target devices based on their association with telecommunications providers’ networks.”According to the researchers, the attackers have been taking aim at Cisco IOS XE appliances. The exploits target a pair of known vulnerabilities: CVE-2023-20198 and CVE-2023-2027.Both flaws are elevation of privilege vulnerabilities that, if exploited would allow the attackers to take administrator control over the devices.While network appliances might not seem like a particularly valuable target for attackers, they provide a valuable foothold for advanced persistent threat actors (APT) seeking to get further into an organization’s internal network.“Overall, throughout their campaigns, the adversary has shown not only an in-depth understanding of the targeted environments, including the continuous identification of exposed layers for potential reentry, but also a multi-layered attack strategy, using a combination of known tools and custom backdoors that is difficult to detect and mitigate,” noted researchers with security provider NCC Group.In this case it is believed that the RedMike crew is taking a two-pronged approach. The hackers are trying to get into databases and servers holding valuable intellectual property and research data from the targeted organizations, as well as espionage positions in telcos.“Often involved in cutting-edge research, universities are prime targets for Chinese state-sponsored threat activity groups to acquire valuable research data and intellectual property,” Insikt Group explained.The attacks are also noteworthy because they come in defiance of efforts by U.S. law enforcement to cripple the RedMike network by shutting down the hosting company that was believed to have provided the hacking crew with their command and control infrastructure.The latest round of attacks show that there are no shortage of service providers in China willing to accommodate espionage-based hacking groups.“Despite significant media coverage and U.S. sanctions, Insikt Group expects RedMike to continue targeting telecommunications providers in the U.S. and globally due to the amount and high value of communications data that traverses these networks,” the researchers note. “This is highlighted by RedMike’s previous targeting of U.S. lawful intercept operations and the communications of significant U.S. political figures via these intrusions.”
