Chinese hackers infiltrate Southeast Asian telecom networks

A cyber group linked to China breached telecoms across Southeast Asia, deploying advanced tracking tools instead of stealing data.
Chinese state-sponsored hackers accessed Southeast Asian telecom networks for nearly a year to track mobile users’ locations using stealthy tools and malware.

A Chinese state-backed hacking group gained covert access to telecom networks across Southeast Asia, most likely to track users’ locations, according to cybersecurity analysts.

The campaign, which lasted from February to November 2024, was attributed with high confidence to a group known as CL-STA-0969 by Palo Alto Networks’ Unit 42.

Instead of stealing data or directly communicating with mobile devices, the hackers deployed custom tools such as CordScan, designed to intercept mobile network protocols like SGSN. These methods suggest the attackers focused on tracking rather than data theft.

The threat actor appears closely linked to Liminal Panda, a group tracked by CrowdStrike, which sees the operation as part of China’s strategic interest in bulk surveillance.

The attackers initially gained access by brute-forcing SSH credentials using login details specific to telecom equipment.

Once inside, they installed new malware, including a backdoor named NoDepDNS, which tunnels malicious data through port 53 — typically used for DNS traffic — in order to avoid detection.

To maintain stealth, the group disguised malware, altered file timestamps, disabled system security features and wiped authentication logs.

CrowdStrike and Unit 42 both warn that China is increasing its focus on mass data collection, making telecom providers a prime target.

Security experts believe these operations are part of a long-term strategy to gather political, military and intellectual property information from vulnerable infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!