A China-linked threat actor had access to a router configuration database that could have completely disrupted coverage, a security vendor says.
April 3, 2024
About six months before the 2022 FIFA World Cup soccer tournament in Qatar, a threat actor — later identified as China-linked BlackTech — quietly breached the network of a major communications provider for the games and planted malware on a critical system storing network device configurations.
The breach remained undetected until six months after the games, when researchers at NetWitness spotted it during a routine audit for the service provider. During that period, the cyber-espionage group gathered up an unknown volume of data from targeted customers of the telecommunications provider — including those associated with the World Cup and vendors providing services for it.
But it's the "what else could have happened" that's the really scary part, says Stefano Maccaglia, global practice manager, incident response, at NetWitness, discussing the incident for the first time with Dark Reading recently.
The access that BlackTech had on the telecom provider's system would have allowed the threat actor to completely disrupt key communications — including all streaming services associated with the game. The fallout from such a disruption would have been substantial in terms of geopolitical implications, brand damage, national reputation, and potentially hundreds of millions of dollars in losses from the licensing rights and ads negotiated prior to the World Cup, Maccaglia says.
"We are normally very collected, but in this case, we were terrified," Maccaglia says of NetWitness' discovery. "The threat actor literally had their finger on the button but didn't push it."
NetWitness' involvement in the Qatar World Cup began in 2022, about six months before the event, when several local service providers hired the company to assess the cybersecurity preparedness of some of the supporting IT infrastructure for the games. Like with other security vendors involved in the effort, the telecom provider gave NetWitness access to a substantial portion of its tech stack and environment — but not to all of it.
According to Maccaglia, the NetWitness team detected and remediated several issues on parts of the provider's tech stack to which the company had access. But it wasn't until early 2023 that the service provider finally opened up the rest of the environment to NetWitness for additional auditing. This was when NetWitness unearthed log activity suggesting that someone had gained access to the provider's network.
The company's subsequent investigation showed the attacker had planted a sophisticated rootkit and a backdoor, dubbed Waterbear, on a critical configuration management database (CMDB) storing device configurations for the provider's customers. NetWitness found the attackers had used PLEAD — a remote access Trojan commonly associated with the BlackTech APT — to target additional systems within the environment.
"The attacker aimed to control this database [from] the beginning, because it would allow him/her to swap configurations on the fly and revert them back, once finished, leaving no traces," Maccaglia says.
BlackTech is a threat actor that the US Cybersecurity and Infrastructure Security Agency (CISA) last year identified as a threat to organizations in the telecommunications, technology, media, electronics, and industrial sectors. In an advisory, CISA described the threat actor (aka Radio Panda, Circuit Panda, Temp.Overboard, and Palmerworm) as particularly adept at modifying router malware without detection and the exploiting routers' domain-trust relationships to gain access to victim networks. "BlackTech actors' TTPs include developing customized malware and tailored persistence mechanisms for compromising routers," CISA noted. "These TTPs allow the actors to disable logging and abuse trusted domain relationships to pivot between international subsidiaries and domestic headquarters' networks."
In the attack on the telecom provider in Qatar, BlackTech actors used their access to the CMDB to change configurations on Asus routers associated with various organizations in such a manner as to make systems belonging to these organizations become accessible over the Internet. They then uploaded PLEAD — concealed in legitimate looking software updates from Asus — to these systems by modifying the DNS resolution of asus.com. The threat actor then leveraged PLEAD to steal data from the victim organizations. Among the systems infected in this manner were those associated with the World Cup games. The attackers would change the router config details for a few hours at a time and then revert back to the original rules to minimize the chances of detection, Maccaglia says.
The fact that no one was able to spot the intrusion in the months leading up to the World Cup, during the event, or for months later is worrisome, Maccaglia says. With the countdown for the 2024 Summer Olympics well underway, it is imperative that the entire technology stack supporting the games be vetted for security issues, he says.
The Olympics, like other major sporting events, such as the Super Bowl, have become huge cyberattack targets in recent years. In 2019, for instance, a threat group later identified and linked to Russia's military intelligence also attempted to disrupt the opening of the Winter Olympics in South Korea after Russian athletes were banned from participating over doping concerns.
"As we saw with the World Cup, threats can live in obscure places and keep a very low profile," Maccaglia says, adding, "You can't find what you aren't allowed to look for," in advocating for broader visibility for companies like NetWitness into the entire supporting infrastructure for the game.
"When you behave as if there's always a threat present, you put yourself in a position to mitigate damage and, potentially, get ahead of the threat in the environment," he says. "This will be critical for the 2024 Summer Games."
Jai Vijayan, Contributing Writer
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
Cybersecurity Strategies for Small and Med Sized Businesses
Defending Against Today’s Threat Landscape with MDR
Securing Code in the Age of AI
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
Key Findings from the State of AppSec Report 2024
Black Hat USA – August 3-8 – Learn More
Cybersecurity’s Hottest New Technologies: What You Need To Know
Black Hat Asia – April 16-19 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
The Foundation for Building Scalable Applications to Fuel Customer Satisfaction and Growth
CVE Weaponization Report
Making Sense of Your Security Data: The 6 Hardest Problems
Understanding Today’s Threat Actors
Demystifying Zero Trust in OT
FortiSASE Customer Success Stories – The Benefits of Single Vendor SASE
2023 Gartner Magic Quadrant for Single-Vendor SASE
Black Hat USA – August 3-8 – Learn More
Cybersecurity’s Hottest New Technologies: What You Need To Know
Black Hat Asia – April 16-19 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
