Ethical Hacking News
Nation-state group CL-STA-0969 targeted Southeast Asian telecoms in 2024, exposing vulnerabilities in critical infrastructure. This attack highlights the ever-evolving nature of cyber threats and underscores the need for proactive threat intelligence and vigilant security measures.
Palo Alto Networks has released a report on nation-state group CL-STA-0969's activities in Southeast Asia between February and November 2024. The group, linked to China, may be part of a larger coordinated effort to compromise critical infrastructure. CL-STA-0969 used custom tools and known vulnerabilities to achieve its goals, including AuthDoor and GTPDoor. The attackers bypassed traditional detection methods by leveraging telecom-specific protocols and operational security measures. They gained initial access via SSH brute force using a well-tuned account dictionary list. No evidence of data exfiltration was found, but the group set up resilient remote access for future espionage operations.
Palo Alto Networks has recently released a report detailing the activities of nation-state group CL-STA-0969, which targeted critical infrastructure in Southeast Asia between February and November 2024. This revelation highlights the ever-evolving nature of cyber threats and underscores the need for vigilant security measures to prevent such attacks.
The threat actor in question, identified by Palo Alto Networks as CL-STA-0969, has been tracked to have overlapping connections with other China-linked cyber espionage groups, including Liminal Panda and Light Basin. This information suggests that CL-STA-0969 may be part of a larger, coordinated effort to compromise critical infrastructure.
According to the report, CL-STA-0969 utilized a combination of custom tools and known vulnerabilities to achieve its goals. These tools included AuthDoor, a PAM backdoor; GTPDoor, a Linux implant that uses GTP-C signaling to tunnel C2 traffic within telecom networks; EchoBackdoor, a passive ICMP-based backdoor; SGSN Emulator, an emulator of an SGSN node used to create tunnels to mobile operators via GRX; ChronosRAT, a modular Linux RAT; and NoDepDNS, a stealthy Go-based backdoor using DNS tunneling over port 53.
The group's use of these tools allowed them to bypass traditional detection methods, as it leveraged telecom-specific protocols such as SSH, ICMP, DNS, and GTP. They also employed PAM backdoors, disguised processes, tampered with logs, and disabled SELinux to maintain stealth. This demonstrates a deep understanding of telecom environments and strong operational security.
Despite their high level of OPSEC, substantial evidence suggests that the attackers gained initial access via SSH brute force. To accomplish this, they used a well-tuned account dictionary list that included built-in accounts specific to telecommunications equipment.
The researchers have not found any evidence of data exfiltration but employed tools like Cordscan to attempt to collect mobile device location data. The group set up resilient remote access, likely for future espionage operations.
This report highlights the need for proactive threat intelligence and vigilant security measures to prevent such attacks. It also underscores the importance of staying informed about emerging threats and their tactics, techniques, and procedures (TTPs).
Related Information:
https://www.ethicalhackingnews.com/articles/Nation-state-group-CL-STA-0969-exposes-vulnerabilities-in-Southeast-Asian-telecoms-ehn.shtml
https://securityaffairs.com/180737/apt/nation-state-group-cl-sta-0969-targeted-southeast-asian-telecoms-in-2024.html
Published: Mon Aug 4 04:06:50 2025 by llama3.2 3B Q4_K_M
