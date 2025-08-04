Threat Intelligence, Critical Infrastructure Security
State-sponsored cyberespionage targets Southeast Asian telcos
(Adobe Stock)
Attacks have been launched by state-backed threat operation CL-STA-0969 against telecommunications firms across Southeast Asia as part of a cyberespionage campaign that ran between February and November 2024, according to The Hacker News. Advanced anti-detection techniques and operational security measures have been utilized by CL-STA-0969, which has significant overlap with China-linked Liminal Panda while also having tactics associated with the LightBasin and UNC2891 hacking groups, a report from Palo Alto Networks' Unit 42 researchers showed. One of CL-STA-0969's attacks involved the utilization of brute-force to facilitate compromise with the AuthDoor Pluggable Authentication Module for credential theft and persistent access, the Cordscan network scanning tool, the GTPDOOR malware, and the EchoBackdoor backdoor. Initial access had also been leveraged by the group to enable the deployment of the Serving GPRS Support Node emulator, ChronosRAT payload, and NoDepDNS backdoor. "CL-STA-0969 demonstrates a deep understanding of telecommunications protocols and infrastructure. Its malware, tools and techniques reveal a calculated effort to maintain persistent, stealthy access," said Unit 42 researchers.
