A China-linked hacking group has expanded a long-running cyber-espionage campaign against telecom providers by exploiting known vulnerabilities in edge networking devices. This breach highlights growing risks to telecommunications security and the critical need for stronger defenses in global network infrastructure. The recent incidents involving China-linked Hackers Breach Telecom Networks underscore these threats. 

Security teams at Cisco Talos are tracking this threat actor as UAT-7290, a sophisticated group with strong indicators tying it to China’s cyber operations. UAT-7290 has been active since at least 2022, initially targeting telecom companies in South Asia. Recent activity shows the group now also targets organizations in Southeastern Europe, raising concerns about broader regional impact. 

TL;DR

China-linked hackers tracked as UAT-7290 are breaching telecom networks by exploiting unpatched edge devices like routers and gateways. The campaign targets telecom providers in South Asia and Southeastern Europe, using Linux malware to gain persistent access, relay traffic, and support cyber-espionage operations. Delayed patching and exposed edge infrastructure remain the biggest risks.

What the Attack Involves

Rather than random breaches, this is a planned cyber-espionage effort. UAT-7290 conducts extensive reconnaissance before launching attacks. It uses a mix of:

• One-day exploits (publicly known but often unpatched vulnerabilities)
• SSH brute force attacks against edge devices
• A combination of custom and open-source malware to gain access and establish persistence on compromised systems. 

The group targets public-facing edge devices such as routers and gateways, which sit between a telco’s internal network and the public internet. Successfully compromising these systems gives attackers an entry point to escalate privileges and move deeper into network infrastructure. 

Advanced Malware Toolkit

Once inside, UAT-7290 uses a range of Linux-based malware. Some key components include:

• RushDrop (also known as ChronosRAT), a dropper that launches the attack chain
• DriveSwitch, which helps execute core malware
• SilentRaid (MystRodX), a persistent implant for command and control
• Bulbature, used to convert infected devices into operational relay boxes (ORBs) that support further intrusions and relay traffic for other threat actors. 

This mix of tools and techniques helps the group maintain long-term access and supports additional activity from allied China-linked threat actors once a network is compromised. 

Why This Matters

Telcos and internet service providers are critical infrastructure. A breach of edge devices can:

• Expose sensitive configuration data
• Give attackers a foothold to monitor traffic
• Enable lateral movement to customer networks
• Lead to theft of customer data or surveillance of communications

These are not theoretical risks. Recent history shows state-linked groups have targeted telecom firms to spy on communications and gather strategic intelligence. 

What Organizations Should Do Now

To limit risk, security teams and telecom operators should:

• Patch known vulnerabilities quickly
• Monitor for unusual SSH login attempts
• Segment edge devices from core infrastructure where possible
• Deploy intrusion detection systems tailored to network equipment
• Review access logs for signs of reconnaissance or brute force activity

Operators should also look closely at indicators of compromise shared by Cisco Talos and partner researchers to spot potential intrusions early and contain them before significant damage occurs. 

FAQs: China-Linked Hackers Targeting Telecom Networks

Who are the China-linked hackers targeting telecom companies?

Security researchers track the group as UAT-7290, a China-linked threat actor active since at least 2022. The group focuses on cyber-espionage rather than financial crime and primarily targets telecom providers and internet infrastructure.

How are telecom networks being breached?

The attackers exploit known vulnerabilities in edge devices, such as routers and gateways exposed to the internet. They also use SSH brute-force attacks and unpatched flaws to gain initial access before moving deeper into the network.

What are edge device exploits?

Edge device exploits target networking hardware that sits between internal systems and the public internet. Since these devices often run outdated firmware and are always online, they are attractive entry points for attackers.

What malware is used in these telecom attacks?

UAT-7290 uses a mix of custom and open-source Linux malware, including RushDrop, DriveSwitch, SilentRaid, and Bulbature. These tools help the attackers maintain persistence, control infected systems, and relay traffic for further operations.

Which regions are affected by these attacks?

The campaign initially targeted telecom providers in South Asia but has now expanded to Southeastern Europe, indicating a broader and ongoing surveillance effort.

Why are telecom providers high-value targets?

Telecom networks carry sensitive communication data and form the backbone of national infrastructure. Access to these systems can enable surveillance, data interception, and downstream attacks on customers and partner networks.

Are these attacks still ongoing?

Yes. Researchers report continued activity, suggesting the campaign is active and evolving. The use of publicly known vulnerabilities indicates attackers are relying on delayed patching across telecom environments.

How can telecom operators protect against these attacks?

Key steps include timely patching of edge devices, restricting SSH access, monitoring login attempts, segmenting network infrastructure, and tracking indicators of compromise shared by security researchers.

Can non-telecom organizations be affected?

Indirectly, yes. Compromised telecom infrastructure can be used to monitor or attack downstream customers, enterprises, and government networks connected through affected providers.