Sophisticated Chinese Hacking Group Evades Detection in Asian Telecom Networks for Years

A highly advanced China-linked hacking group, codenamed Weaver Ant, successfully infiltrated and maintained covert access to multiple Asian telecommunication providers' networks for several years, according to a groundbreaking report by cybersecurity firm Sygnia.

The group's sophisticated tactics allowed them to conduct extensive cyber espionage operations while evading detection.

Sygnia's investigation uncovered that Weaver Ant had maintained persistent access to at least one major Asian telecom provider for over four years. The hackers employed a range of cutting-edge techniques, including advanced web shells and encrypted tunneling, to conceal their activities and maintain stealthy access to the compromised networks.

One of the most notable tools in Weaver Ant's arsenal was a previously undocumented type of web shell dubbed "INMemory" by Sygnia researchers. Unlike traditional web shells that write code to a server's disk, INMemory shells execute malicious payloads entirely within a server's memory, leaving minimal traces and significantly complicating detection efforts.

Oren Biderman, incident response and digital forensic team leader at Sygnia, explained the group's sophistication: "Multiple layers of web shells concealed malicious payloads, allowing the threat actor to move laterally within the network and remain evasive until the final payload. These payloads and their ability to leverage never-seen-before web shells to evade detection speaks to Weaver Ant's sophistication and stealthiness."

The threat actors also utilized a network of compromised Zyxel home routers across Southeast Asia as a relay system, effectively masking their origins while conducting long-term intelligence gathering, credential harvesting, and network activity monitoring within the telecom operators' internal systems.

Sygnia's discovery of Weaver Ant's operation was serendipitous, occurring during an investigation of an unrelated threat. The reactivation of a previously disabled account led to the uncovering of the group's extensive infiltration, with activity traced back to a server previously thought uncompromised.

This revelation comes in the wake of a series of attacks on major global telecom providers attributed to China-linked hacking groups in late 2024, including incidents involving Verizon, AT&T, T-Mobile, and Lumen. In response, US lawmakers have proposed legislation to compel telecom operators to strengthen their cybersecurity defenses.

The Weaver Ant case underscores the persistent and increasingly sophisticated nature of nation-state cyber threats, highlighting the urgent need for enhanced cybersecurity measures in critical infrastructure sectors worldwide.