A China-linked hacking group, identified as Earth Estries, has been leveraging a new malware known as GHOSTSPIDER to target telecommunications companies across over 12 countries. This advanced persistent threat (APT) group has also deployed other tools, such as the MASOL RAT backdoor, to infiltrate government and corporate networks, especially in Southeast Asia.
Earth Estries has reportedly breached over 20 entities across industries like telecommunications, technology, government, and transportation. The victims span countries including India, Malaysia, the U.S., South Africa, Indonesia, and Vietnam, among others. These attacks highlight the group’s focus on gathering intelligence through long-term cyber espionage campaigns.
According to researchers, Earth Estries has been active since at least 2020. It uses a variety of malware families, including Deed RAT and the Demodex rootkit, to maintain persistent access to compromised networks. The group exploits vulnerabilities in widely used systems like Microsoft Exchange Server, Sophos Firewall, and Ivanti Connect Secure to gain initial access.
One of its key tools, GHOSTSPIDER, is a sophisticated implant that communicates with attacker-controlled servers through a secure custom protocol. This malware fetches additional modules as needed, enabling it to perform various espionage functions.
Researchers noted that the group employs meticulous strategies to evade detection, from edge device infiltration to cloud environment breaches.
The hacking group’s infrastructure appears well-organized, with distinct teams managing malware deployment and control systems. This operational complexity makes Earth Estries particularly challenging to counter.
Reports suggest that these attacks are part of a broader trend of China-linked groups targeting telecom providers and other critical infrastructure. Such operations have shifted from isolated incidents to more organized campaigns aimed at bulk data collection and persistent surveillance.
To defend against threats like GHOSTSPIDER, organizations must prioritize robust cybersecurity measures. Patch systems regularly to fix known vulnerabilities, especially in widely used tools like Exchange Server or firewalls.
Employ intrusion detection systems and monitor network activity for suspicious patterns. Additionally, implement strict access controls, including multi-factor authentication, to limit potential attack vectors. Regular employee training on cybersecurity awareness can also play a critical role in mitigating risks.