Additionally, a China-linked threat actor known as UAT-7290 has significantly increased its activity. Today it is focused on telecommunications providers in South Asia and Southeastern Europe, with espionage-related intrusions. We have only tracked this actor since May 2022. Recently, it extended its tentacles further into Southeastern Europe, employing crafty tactics to infiltrate and undermine organizations. UAT-7290 uses a mix of same day exploits and occasionally targeted tactics to gain access to these vulnerable systems.
Originally reported by cyber intelligence company Sekoia in October 2024, UAT-7290 went on to become infamous for its unpredictable tradecraft. It uses a combination of open-source malware, custom tooling, and malware payloads that take advantage of CVEs found in widely used edge networking products. The group has proven tactical overlaps with other adversaries associated with China, including Stone Panda and RedFoxtrot. This points towards a broader network of operations with a focus on espionage.
Intrusion and Exploitation Techniques
UAT-7290’s tactics include heavy surveillance of their intended victims before launching an attack. This meticulous planning enables the team to very accurately identify vulnerabilities. After UAT-7290 finds a target, it rapidly weaponizes one-day vulnerabilities. Then, it uses a series of targeted SSH brute force attacks to commandeer the victim’s public-facing edge devices.
“The threat actor conducts extensive reconnaissance of target organizations before carrying out intrusions. UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on compromised systems,” – Asheer Malhotra, Vitor Ventura, and Brandon White.
Upon obtaining initial access, UAT-7290 uses a dropper called RushDrop to start the infection chain. Then it uses DriveSwitch, a drive aid malware that escort to implement SilentRaid. SilentRaid is a C++-based implant seen by TTPs that guarantees persistent access to compromised endpoints.
Establishing Operational Relay Box Nodes
UAT-7290 carries out espionage-focused attacks that dig in deep into the victim’s network infrastructure. The organization installs Operational Relay Box (ORB) nodes to further bolster their tactics. These nodes can be used by other China-nexus actors in their nefarious activities.
“In addition to conducting espionage-focused attacks where UAT-7290 burrows deep inside a victim enterprise’s network infrastructure, their tactics, techniques, and procedures (TTPs) and tooling suggest that this actor also establishes Operational Relay Box (ORBs) nodes,” – Asheer Malhotra, Vitor Ventura, and Brandon White.
UAT-7290 serves a double purpose as both an espionage-motivated threat actor and an initial access group. This complexity, in turn, underscores the complexity of its operations. By building ORB infrastructure, UAT-7290 could enable additional cyberattacks by friendly actors operating in or outside the region.
Focus on Telecommunications Providers
UAT-7290 has since focused exclusively on telecom providers in South Asia. Its recent intrusion storm into Southeastern Europe shows that it is taking its battle beyond the West. The group’s capacity to penetrate, disrupt and exploit networks through specialized means presents a critical threat to the telecommunication industry and critical infrastructures.
The engagement depicted above marks another turn in an ongoing story of the rapidly changing nature of state-sponsored attackers. Each day, organizations in critical infrastructure disciplines are the targets of increasingly complex attacks. In order to prevent the possible damages, they need to be proactive and put stronger security procedures in place.