Home »

Infiltration of Asian telecom networks: How cyberattackers remained undetected

Author Sangavi Senthil Cybersecurity Specialist, ManageEngine  

On this page

 
  • Asian telecom incident
  • Vulnerable points that allow data breach
  • Key lessons learnt by CISOs from the attack
  • Common data breach attack patterns
  • Data breach prevention techniques
  • Data breach prevention with SIEM
  • Key metrics to present to the board
  • Related solutions
 

Infiltrating into a network system of an enterprise has numerous benefits for attackers, such as:

  • Financial data theft
  • Corporate espionage
  • Network control
  • Profit from ransom
  • Power to disrupt operations

So, imagine how much data an attacker could get by infiltrating into an enterprise network for years. This article is about a Chinese hacker group who infiltrated Asian telecom networks for four years.

What happened in the Asian telecom cyberattack?

A highly advanced cyber-espionage operation, attributed to the Chinese hacking group "Weaver Ant," infiltrated a major telecommunications provider in Asia for four years. While specific dates are not provided in the available sources, reports indicate that the intrusion was discovered and reported in March 2025.This suggests that the attack may have commenced around early 2021 or earlier.The prolonged intrusion went undetected, highlighting critical cybersecurity weaknesses within essential infrastructure.

Initial compromise and exploitation

Weaver Ant gained unauthorized access by exploiting an unpatched vulnerability in a publicly accessible application. Leveraging this security gap, they deployed a customized variant of the "China Chopper" web shell alongside a newly identified memory-resident malware known as "INMemory." By executing malicious payloads directly within system memory, they effectively minimized forensic traces, making detection extremely difficult.

Maintaining persistence and evasion tactics

Once inside, the attackers ensured persistence by disabling key security defenses. They modified Event Tracing for Windows and the Antimalware Scan Interface, effectively bypassing real-time security monitoring. Additionally, they executed Windows PowerShell commands stealthily through System.Management.Automation.dll instead of launching PowerShell.exe, further reducing visibility to security tools.

Intelligence gathering and network expansion

The primary objective of the attack was intelligence collection. The threat actors systematically mapped the internal network, targeted privileged user accounts, and accessed highly sensitive data sources, including:

  • Communications metadata of influential individuals
  • Government and corporate client records
  • Network control systems that could enable broader surveillance
Discovery and incident response

The breach was eventually identified by the cybersecurity firm, Sygnia, during a forensic investigation. Analysts uncovered irregular system behavior that led to the detection of the attackers' web shells and memory-based malware. Successfully eliminating the threat without disrupting vital operations required close collaboration between the affected company's security team and external intelligence agencies.

What enterprise vulnerabilities do attackers typically exploit to execute a data breach?

While attackers exploited an unpatched application in this case, there are other vulnerabilities that threat actors can take advantage of, namely:

  • Weak or stolen credentials: Unauthorized access is made easy for attackers by weak password policies and a lack of multi-factor authentication.
  • Phishing and social engineering: Employees are tricked by cybercriminals into revealing sensitive information or clicking on malicious links, which can result in malware infections or credential theft.
  • Insider threat: Disgruntled employees or careless staff can intentionally or unintentionally expose sensitive data, making internal security controls critical.
  • Misconfigured cloud and network settings: Poorly secured databases, open ports, and weak access controls in cloud environments provide easy entry points for attackers.

What are the key lessons for CISOs from this attack?

The following are the key lessons:

  • Proactive threat hunting is crucial since traditional security measures may not detect memory-based malware like INMemory.
  • Regular patch management must be a priority since the initial breach exploited an unpatched vulnerability in a public facing application.
  • APT-specific security strategies must be implemented since state-sponsored groups like Weaver Ant operate stealthily over years.
  • Indirect script execution must be monitored since stealthy malware is evolving where attackers use PowerShell without PowerShell.exe, bypassing standard logging.
  • Behavioral analytics must be included to detect file-less attacks just as traditional antivirus and endpoint detection tools focus on file-based malware.
  • The attackers patched ETW and AMSI to evade detection. This indicates that disabling detection mechanisms must raise red flags, and monitoring for such modifications can reveal intrusions.
  • Zero trust architecture is essential because strict segmentation and least privilege access constraints can help prevent lateral network movement.
  • The breach was discovered by an external cybersecurity firm Syngia, demonstrating that third-party security assessments can uncover hidden threats.
  • A well-practiced incident response plan is necessary to eliminate threats from a deeply embedded attack without interfering with critical operations.

What are the common attack patterns used by attackers to carry out a data breach?

Here are the top 5 patterns used by attackers:

  • Phishing attacks: Attackers use deceptive emails, messages, or websites to trick users into revealing login credentials or downloading malware.
  • Malware infections: Unauthorized access and data theft are accomplished using malicious software, such as trojans, spyware, or ransomware.
  • SQL injection: Attackers exploit vulnerabilities in web applications to manipulate databases and extract sensitive information.
  • Credential stuffing: The attackers use stolen username-password combinations from a previous breach to try and access accounts on other sites.
  • Insider threats: When employees or contractors act carelessly or maliciously, they may purposefully or inadvertently jeopardize confidential information.

How to prevent data breach?

The following can be considered for data breach prevention:

  • Deploy email filtering, conduct security awareness training, and enable MFA to mitigate credential theft.
  • Utilize endpoint security solutions, keep software updated, and avoid downloading files from untrusted sources.
  • Validate and sanitize user inputs, use prepared statements, and implement web application firewalls to prevent injection attacks.
  • Require strong, unique passwords, enable MFA, and actively monitor for unauthorized login attempts.
  • Restrict access based on job roles, track user activities, and provide regular cybersecurity training.
  • Ensure secure communication using SSL/TLS encryption, avoid unprotected public networks, and utilize VPNs.
  • Regularly update all systems, leverage threat intelligence, and use advanced detection tools to identify anomalies.
  • Implement robust password policies, set up account lockout mechanisms, and integrate CAPTCHA to deter brute-force attacks.
  • Protect against denial-of-service attacks with DDoS mitigation tools, apply rate limiting, and continuously monitor network traffic.
  • Safeguard against cross-site scripting by filtering user inputs, enforcing Content Security Policies, and following secure coding guidelines.

Why should CISOs consider a SIEM solution to mitigate data breach?

The following are the various features of SIEM that help to enhance data breach prevention:

Feature How it helps to prevent data breach
Real-time threat detection and response
  • SIEM continuously collects and analyzes logs from a variety of sources, including servers, firewalls, endpoints, and applications.
  • Uses correlation rules and behavioral analytics to detect anomalies and potential breaches.
  • Sends real-time alerts, reducing response time and preventing security incidents from escalating.
Centralized log management and compliance
  • Aggregates logs from several sources into a single window for security teams.
  • Maintains appropriate audit trails and reports, which aids in meeting compliance requirements such as GDPR, HIPAA, PCI DSS, and SOC 2.
Advanced threat intelligence
  • Integrates with external threat intelligence feeds to recognize known attack patterns.
  • Uses AI and machine learning to detect zero-day threats and advanced persistent threats.
Anomaly detection
  • Detects anomalous activities within the network, such as privilege abuse and unauthorized access.
  • Detects suspicious behavior by using User and Entity Behavior Analytics (UEBA).
Automated incident response
  • Many modern SIEMs offer SOAR capabilities.
  • Automates containment measures such as enforcing access limits, isolating compromised endpoints, and blocking malicious IPs.
Forensic investigation and root cause analysis
  • Stores historical log data for post-breach analysis.
  • Helps determine who, what, when, and how a breach occurred, enabling better future defenses.
Reducing dwell time and mitigating damage
  • Early detection reduces the dwell time—the amount of time an attacker stays hidden in a network.
  • Limits the potential financial, reputational, and operational damage of a data breach.

Key metrics to present to the board for CISOs

The following are the key metrics that can be presented by CISOs:

Metric What is it? Example scenario
Mean time to detect The average time taken to identify a security threat. Before implementing SIEM, it took a company 90 days to find a network breach. Threats are identified within minutes to hours because of SIEM's real-time monitoring, which drastically cuts down on the amount of time an attacker can stay undetected in the network.
Mean time to respond The average time taken to mitigate or contain a security incident. A financial services firm experienced a data breach involving unauthorized access to customer records. SIEM’s real-time alerts and automated playbooks quickly identified the breach, contained the affected systems, and helped prevent further data exposure.
Reduction in security incidents Percentage decrease in security alerts leading to breaches. After SIEM identified and blocked malicious email domains in real-time, a healthcare provider experienced a 40% decrease in successful phishing assaults.
Reduction of false positives Percentage decrease in false alarms that waste the time of the security team. A financial firm had thousands of daily security alerts, with 80% being false positives. After SIEM’s ML-driven threat detection, false positives dropped to 20%, allowing analysts to focus on real threats.
Compliance and audit time reduction Time saved on audit report preparation and compliance adherence. It took weeks for a PCI DSS-regulated company to gather security records for audits. SIEM automated log collecting, reducing the time required to submit compliance reports by 70% and preventing fines from the government.
Reduction in downtime and business disruptions Financial savings from minimizing operational downtime due to cyber incidents. A cyberattack caused a 48-hour standstill in a manufacturing company's production line. By preventing a recurrence of the incident, SIEM's proactive threat detection saved an estimated $500,000 in downtime expenses.
Third-party risk monitoring and supply chain security Number of external vendors monitored for security risks. A bank integrated SIEM to monitor third-party vendors' access logs. It flagged unauthorized access attempts from a vendor’s compromised credentials, preventing a supply chain attack.
Percentage of security events automated via SOAR Number of incidents automatically handled by SOAR By employing SIEM-SOAR integration to automate phishing response, a cloud services firm was able to free up the SOC team by automatically mitigating 80% of phishing threats.
ROI of SIEM Demonstrates the financial benefit of investing in SIEM vs. potential losses. A retail company invested $500,000 in SIEM. Within a year, it avoided two major breaches, saving an estimated $2 million in potential losses, showing a 4x ROI.
Cost savings on cybersecurity incidents Percentage reduction in cybersecurity insurance premiums. Through better risk management, a legal company that used SIEM showed enhanced threat detection and response, which resulted in a 15% decrease in cyber insurance costs.

Related solutions

ManageEngine Log360 is a SIEM solution that combines DLP, CASB, machine learning, and MITRE ATT&CK mapping to deliver real-time threat detection, automated response, streamlined incident management, and compliance across hybrid IT environments.

To learn more,

Sign up for a personalized demo  

ManageEngine AD360 is a unified IAM solution that simplifies identity, access, and security management across on-premises and cloud platforms with features like user provisioning, SSO, self-service password management, and auditing.

To learn more,

Sign up for a personalized demo  

This content has been reviewed and approved by Ram Vaidyanathan, IT security and technology consultant at ManageEngine.

 

Related Posts

Anatomy of a ransomware attack - Critical lessons from the Unimicron incident The cost of poor cybersecurity: Star Health breach and CISO best practices How SIEM tools power data-driven security decisions for enterprises