In the first quarter of 2023, telecommunication providers in the Middle East were the subject of new cyber attacks. The intrusion set has been attributed to a Chinese cyber espionage actor associated with a long-running campaign dubbed Operation Soft Cell. This operation is based on tooling overlaps and has been going on since at least 2012. The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy web shells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities. The Soft Cell threat actor is also known to target unpatched internet-facing services and use tools like Mimikatz to obtain credentials that allows for lateral movement across the targeted networks. A "difficult-to-detect" backdoor codenamed PingPull is also put to use by the adversarial collective in its espionage attacks directed against companies operating in Southeast Asia, Europe, Africa, and the Middle East. Central to the latest campaign is the deployment of a custom variant of Mimikatz referred to as mim221, which packs in new anti-detection features.
top of page
bottom of page