HQ/EMEAFind out how we can help your business
The alleged China-related Operation Soft Cell campaign has an evolved toolset that could target numerous entities. These threat operators could have originated from China, but researchers have yet to confirm an exact attribution.
Earlier this year, China-based threat groups bombarded numerous telecom providers from the Middle East with cyberattacks. Some researchers claimed that these attacks were part of a more massive attack from Chinese espionage groups.
Researchers explained that these attacks start from breaching internet-facing MS Exchange servers with web shells for command execution.
Subsequently, the threat actors execute different malicious activities, such as credential theft, lateral movement, data exfiltration, and reconnaissance once they gain access. Operation Soft Cell heavily relies on a custom credential theft payload dubbed mim221. This malware is a modified version of Mimikatz that has advanced anti-detection features.
Malware developers actively maintain mim221 and now have an updated version of credential theft malware. This detail implies that the threat actors constantly enforce new malware capabilities.
Operation Soft Cell still has a mysterious origin story.
According to the investigation, the toolset used for Operation Soft Cell is similar to the ones used by other well-known Chinese actors. However, researchers could not point yet to a specific threat group participating in the espionage campaign.
The advanced persistent threat group, APT41, is the closest threat group to Operation Soft Cell since it has code similarities and a standard code signing certificate.
Other researchers suspect that the Gallium group could be part of the campaign. The analysts based these speculations on the previous targets and TTP overlaps between the group and the Soft Cell campaign.
The campaign divides the researchers’ ideas despite the continued operation against numerous targets. Furthermore, the current cyberespionage operation has displayed an unwavering focus on targeting Middle Eastern entities.
Organisations from the Middle East, especially from sectors such as government, entertainment, finance, and telecoms, should be ready to counteract these espionage attacks.
Lastly, the Chinese groups’ active exploitation of mim221 shows that they have an ongoing effort to improve their malware payload and security bypassing capability.
