A sophisticated and ongoing cyber espionage campaign linked to a Chinese threat actor has been discovered infiltrating telecom networks to spy on government systems.
Attributed to the threat group known as Red Menshen, also identified as Earth Bluecrow, DecisiveArchitect, and Red Dev 18, this strategic operation has been targeting telecom providers in the Middle East and Asia since at least 2021.
Rapid7, a cybersecurity firm, described the covert access mechanisms deployed by Red Menshen as some of the most stealthy ever encountered in telecommunications networks.
The campaign utilizes kernel-level implants, passive backdoors, credential-harvesting tools, and cross-platform command frameworks, providing the threat actor with persistent access to targeted networks. One notable tool in their arsenal is a Linux backdoor called BPFDoor.
BPFDoor operates differently from traditional malware by leveraging Berkeley Packet Filter (BPF) functionality to inspect network traffic within the kernel and activating only when triggered by a specific packet.
Initial access is gained by targeting internet-facing infrastructure and services such as VPN appliances, firewalls, and web platforms associated with various vendors. Once inside, the threat actor deploys Linux-compatible tools like CrossC2 for post-exploitation activities.
Central to Red Menshen’s operations is BPFDoor, which consists of a passive backdoor on compromised Linux systems and a controller managed by the attacker to send activation packets.
BPFDoor’s capabilities extend to supporting the Stream Control Transmission Protocol (SCTP), allowing the threat actor to monitor telecom protocols and track subscriber behavior.
Moreover, a new variant of BPFDoor has been discovered with enhanced evasion techniques, including hiding activation commands within HTTPS traffic and utilizing ICMP for communication between infected hosts.
This evolution in adversary tactics emphasizes a shift towards embedding implants at deeper levels within computing systems, targeting operating system kernels and infrastructure platforms.
Telecom environments, with their mix of hardware systems, virtualization layers, and 4G/5G components, provide an ideal landscape for stealthy persistence and evasion of traditional detection methods.
