Chinese hackers infiltrate telecommunications providers in the Middle East in Operation Soft Cell.

Chinese hackers have targeted telecommunications providers in the Middle East in a new cyber attack campaign known as Operation Soft Cell. The attack commenced in the first quarter of 2023 and involved infiltrating Internet-facing Microsoft Exchange servers to deploy web shells used for command execution.

Once a foothold is established, the hackers conduct reconnaissance, credential theft, lateral movement, and data exfiltration activities. Despite using a custom variant of Mimikatz referred to as mim221, which packs in new anti-detection features, the breaches were detected and blocked before any implants could be deployed on the target networks.

Operation Soft Cell has been attributed to a Chinese cyber espionage actor associated with a long-running campaign that has targeted telecommunications providers since at least 2012. The Soft Cell threat actor, also tracked by Microsoft as Gallium, is known to target unpatched internet-facing services and use tools like Mimikatz to obtain credentials that allow for lateral movement across targeted networks.

While the latest campaign ultimately proved to be unsuccessful, the use of special-purpose modules that implement a range of advanced techniques shows the hackers' dedication to advancing their toolset towards maximum stealth, highlighting the continuous maintenance and further development of the Chinese espionage malware arsenal. This serves as yet another reminder of the importance of ransomware protection.