Threat Intel - Red Menshen Plants BPFdoor Backdoors in Telecom
Basically, hackers are sneaking hidden backdoors into telecom networks to spy on communications.
A sophisticated espionage campaign by Red Menshen embeds BPFdoor backdoors in telecom networks. This poses serious risks to global communications and national security. Rapid7 Labs reveals the advanced tactics used.
The Threat
A recent investigation by Rapid7 Labs has uncovered a sophisticated espionage campaign led by the state-sponsored group known as Red Menshen. This campaign is notable for its use of a stealthy backdoor called BPFdoor, which has been embedded within global telecommunications infrastructure. Unlike typical hacking incidents, this operation signifies a strategic shift from opportunistic attacks to long-term infiltration. By embedding themselves into the backbone of national and international communications, these hackers aim to gather intelligence on high-value targets.
Telecommunications networks are crucial for government communications, subscriber identity authentication, and coordination of critical industries. The potential for intelligence collection in these environments is vast, far exceeding the capabilities of a conventional data breach. With persistent access, attackers can monitor subscriber identifiers and communication metadata, enabling extensive tracking of geopolitical targets.
Who's Behind It
The Red Menshen group has specifically targeted telecom providers across various regions, including South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and parts of the Middle East. The collateral damage extends to government networks that rely on these carriers, amplifying the risk of sensitive data exposure. The stealthy nature of their operations, combined with the strategic importance of the telecommunications sector, makes this a significant threat to national security.
Tactics & Techniques
At the heart of this campaign is the BPFdoor backdoor, which operates at the kernel level of Linux systems. It exploits the Berkeley Packet Filter (BPF) functionality to monitor incoming traffic without raising alarms. Unlike conventional malware, BPFdoor does not create visible command-and-control channels. Instead, it waits for a specially crafted packet to activate, making detection extremely difficult.
Rapid7 Labs discovered an advanced variant of BPFdoor that conceals its activation commands within legitimate HTTPS traffic. This clever tactic allows the malware to blend seamlessly into normal network operations, evading traditional security measures. The use of ICMP-based control channels further enhances its stealth, enabling compromised servers to communicate without standard C2 traffic.
Defensive Measures
In response to these findings, Rapid7 has collaborated with national CERTs and government partners to alert affected organizations. They have also released a free, open-source scanning tool to help detect both legacy and new BPFdoor variants. Organizations are urged to enhance their monitoring capabilities, focusing on kernel-level operations and unusual BPF filter activities. By increasing visibility in these areas, defenders can better protect their networks against such sophisticated threats.
As the landscape of cyber threats continues to evolve, the implications of this espionage campaign underscore the need for robust security measures in the telecommunications sector. The stakes are high, and vigilance is essential to safeguard sensitive communications.
Cyber Security News