What happened
New China-Linked Hacker Campaign Exploits Edge Devices in Telco Breaches outlines activity by a sophisticated threat actor tracked by Cisco Talos as UAT-7290 with strong China nexus indicators that has been breaching telecommunications providers, including in Southeastern Europe, by exploiting public-facing edge network devices. The group performs extensive reconnaissance and uses one-day exploits and target-specific SSH brute force to gain initial access. Once inside, the attackers deploy a Linux-based malware suite (including RushDrop/ChronosRAT, DriveSwitch, SilentRaid/MystRodX, and Bulbature) and occasionally Windows implants like RedLeaves and ShadowPad. These tools establish persistent access and convert compromised devices into Operational Relay Boxes (ORBs) for further operations and potential use by other China-aligned actors in cyber-espionage. Talos published indicators of compromise to aid defenders.Â
Who is affected
Telecommunications providers in South Asia and Southeastern Europe have seen direct compromise of edge devices, with broader indirect risk for service availability and regional infrastructure.Â
Why CISOs should care
Compromise of telco edge devices can serve as infrastructure for broader supply chain intrusion and persistent espionage, jeopardizing customer data, service continuity, and trust in telecommunications infrastructure.Â
3 practical actions
- Harden publicly exposed devices: Apply vendor patches and restrict SSH access to telco edge infrastructure.
- Monitor for abnormal lateral movement: Use network detection to identify ORB-like activity and unauthorized shell access.
- Share and ingest IOCs: Integrate Talos-provided indicators of compromise into detection tooling to catch UAT-7290 activity.