CL-STA-0969 malware targeting telecom networks in Southeast Asia

A state-sponsored threat actor known as CL-STA-0969 has targeted telecommunications organizations in Southeast Asia, facilitating remote control over compromised networks. Palo Alto Networks' Unit 42 reported multiple incidents from February to November 2024, focusing on critical telecom infrastructure.

CL-STA-0969 malware targeting telecom networks in Southeast AsiaCL-STA-0969 malware targeting telecom networks in Southeast Asia

The attacks utilized various tools for remote access, including Cordscan, which collects location data from mobile devices. However, researchers found no evidence of data exfiltration or attempts to track target devices within mobile networks. The group maintained high operational security and employed numerous defense evasion techniques.

CL-STA-0969 malware targeting telecom networks in Southeast AsiaCL-STA-0969 malware targeting telecom networks in Southeast Asia

CL-STA-0969 shares significant overlaps with the China-linked espionage group Liminal Panda, which has targeted telecom entities since at least 2020. The group is believed to have used brute-force attacks against SSH authentication to gain initial access, deploying various malware, including:

  • AuthDoor: A malicious Pluggable Authentication Module for credential theft.
  • GTPDOOR: Malware designed for telecom networks adjacent to GPRS roaming exchanges.
  • EchoBackdoor: A passive backdoor that listens for command-and-control instructions via ICMP packets.
  • ChronosRAT: A modular tool for remote access and data manipulation.