- Weaver Ant group infiltrated telecom providers using stealthy techniques.
- The campaign remained undetected for over four years.
What happened: Stealthy telecom espionage campaign exposed
A Chinese-linked hacking group, dubbed Weaver Ant, secretly infiltrated several Asian telecommunications providers over a period of at least four years, according to a report by cybersecurity firm Sygnia. The attackers leveraged advanced techniques, including encrypted tunnelling and web shells, to maintain persistence and avoid detection.
The hackers used compromised Zyxel home routers across Southeast Asia as a relay network, effectively masking their origin. This enabled them to conduct long-term espionage operations, harvest credentials, and monitor internal network activity. The attackers also deployed a previously undiscovered web shell named INMemory, which executes payloads directly in server memory, leaving little forensic trace.
Sygnia’s investigation revealed that Weaver Ant utilised a non-provisioned operational relay box (ORB) network to proxy malicious traffic, further concealing its infrastructure. The group also demonstrated a high level of adaptability, pivoting from one telecom provider to another through compromised devices, evading security measures along the way.
The breach came to light accidentally during an unrelated Sygnia investigation, when a previously disabled account was reactivated by a service account. This reactivation led analysts to uncover the larger espionage campaign, confirming Weaver Ant’s extensive access across multiple telecom networks.
Also read: Telcos at a crossroads: Google Cloud’s AI call to action
Also read: NVIDIA AI: Revolutionising telcos with AI-RAN and GenAI
Why it is important
The revelation of this campaign highlights the vulnerability of critical telecom infrastructure to prolonged cyberespionage operations. Telecom providers, being central to communications, are lucrative targets for nation-state actors seeking intelligence on government, business, and individual activities.
By using home routers as relays, the attackers effectively bypassed traditional network detection systems. This approach, coupled with the use of memory-based web shells, demonstrates an evolution in hacking techniques, making it harder for security teams to trace or block the intrusion.
Moreover, the persistence of the attack over several years suggests that telecom operators may face systemic weaknesses in their security frameworks. The incident underscores the need for continuous monitoring, advanced threat detection systems, and proactive cybersecurity measures to prevent similar breaches.