China-Linked UAT-7290 Targets Telecoms in South Asia and Southeast Europe with Sophisticated Tactics

The threat actor UAT-7290, linked to China, has been conducting targeted intrusions against telecommunications entities in South Asia and Southeast Europe since at least 2022. The attacks begin with an extensive technical reconnaissance phase, followed by the deployment of malware from the RushDrop family. Notably, the group employs Operational Relay Box (ORB) infrastructure on Linux systems to obscure the origin of their operations. This tactic aligns with the operational security practices of advanced persistent threat (APT) groups, particularly those associated with state-sponsored activities. While the use of ORB nodes demonstrates a sophisticated approach to evading detection, the lack of specific details on victims or concrete impacts complicates a full assessment of the campaign's effectiveness and scope. Telecoms are critical infrastructure targets, often sought for intelligence gathering or as a foothold for further network compromise. The focus on reconnaissance underscores the group's methodical approach, likely aimed at minimizing detection while maximizing data exfiltration opportunities. For cybersecurity professionals, this activity highlights the importance of monitoring for unusual reconnaissance patterns and securing Linux-based infrastructure against compromise. The use of RushDrop malware further suggests a need for updated threat intelligence and endpoint protection measures tailored to this emerging threat.