Today we’re joined by Rupert Marais, our in-house security specialist, to dissect a long-running espionage campaign targeting some of the world’s most critical infrastructure. For years, a sophisticated group known as UAT-7290 has been methodically infiltrating telecommunications networks across South Asia. We’ll explore the strategic motivations behind these attacks, the group’s patient and resource-efficient tactics, and how they turn compromised systems into launchpads for a wider web of state-sponsored operations. This conversation will delve into the specific tools used to compromise network edge devices and the revealing overlaps that connect this group to other major players in the China-nexus threat landscape.
Cyber-espionage groups are increasingly targeting telecommunications providers in South Asia. Beyond simple data theft, what strategic advantages does gaining persistent access to this critical infrastructure offer a group like UAT-7290? Please walk me through some potential operational scenarios.
Gaining a foothold in a major telecommunications provider is the ultimate prize for a state-sponsored actor. We’re not just talking about stealing customer data; this is about controlling the very backbone of a nation’s communications. Imagine the scenarios: they could monitor high-value government or military communications in real-time, gaining an incredible intelligence advantage. During a political or military crisis, they could selectively disrupt services to sow chaos or cripple an adversary’s command and control. Since this campaign has been active since at least 2022, they’ve had years to burrow deep, mapping out the networks to understand exactly where the most sensitive data flows. It’s about achieving a god-level view of a country’s nervous system.
This threat actor relies on extensive reconnaissance before using publicly available code to exploit one-day vulnerabilities. What does this methodical, resource-efficient approach suggest about the group’s priorities and operational security? Can you detail the trade-offs compared to developing bespoke zero-day exploits?
This approach tells me we’re dealing with a patient, mature, and very pragmatic operator. They’re not burning their most valuable assets—their zero-day exploits—on targets they can compromise through simpler means. By conducting extensive reconnaissance first, they identify the weakest links, often public-facing edge devices that haven’t been patched. They then use publicly available proof-of-concept code, which is a brilliant move for operational security. It’s far more difficult to attribute an attack that uses common tools versus a unique, custom-built exploit. The trade-off, of course, is that they can’t hit a fully up-to-date, hardened target this way. But their calculation is that in a sprawling telecom network, there will always be a vulnerable one-day device, and their patience in finding it pays off by preserving their top-tier capabilities for the most challenging targets.
The campaign establishes Operational Relay Box infrastructure, turning compromised systems into launchpads for other China-nexus groups. How does this dual function—as both an intelligence gatherer and an initial access facilitator—amplify the overall threat? Please provide some examples of how this relay infrastructure works.
This dual function is what makes UAT-7290 so dangerous; they’re not just a threat in themselves, they’re a force multiplier for an entire ecosystem of actors. Think of it this way: UAT-7290 is the specialist in breaking down the front door of the telecommunications company. Once inside, they set up these Operational Relay Boxes, or ORBs. Another China-nexus group, perhaps one using the ShadowPad backdoor, can then route their own attack traffic through this compromised device. To the defenders, the malicious activity now appears to be originating from within their own network, making it incredibly difficult to detect and trace back. It’s like having a covert agent who not only spies but also opens a secret, secure tunnel for other agents to pour through.
UAT-7290 uses a specific Linux-based toolset, including the modular backdoor SilentRaid and the Bulbature implant. What do these malware choices tell us about their focus on network edge devices? Could you describe the typical infection chain, from the RushDrop dropper to achieving persistence?
Their toolkit is a dead giveaway that they are laser-focused on network infrastructure. The vast majority of routers, firewalls, and other edge devices run on Linux, so a Linux-based arsenal is essential. The infection chain is very deliberate. It starts with RushDrop, a lightweight dropper that’s just designed to get the initial payload onto the device without raising alarms. Next, DriveSwitch is executed, which acts as a middleman to deploy the main implant, SilentRaid. SilentRaid is the heart of the operation; its modular design allows the operators to pick and choose capabilities, whether they need a remote shell for direct control, file management to exfiltrate data, or port forwarding to move deeper into the network. Finally, for some devices, they deploy Bulbature, the implant specifically designed to convert that machine into a relay node for other operations.
Investigators observed notable overlaps with other threat actors, such as Red Foxtrot, and malware families like ShadowPad. What do these shared tools and tactics suggest about the structure and potential coordination among different state-sponsored hacking groups? Please elaborate on these connections.
These overlaps paint a picture of a complex and interconnected threat ecosystem, not a series of isolated groups. When we see malware like ShadowPad, which is used by multiple Chinese threat groups, or overlaps with an actor like Red Foxtrot, previously linked to a PLA unit, it suggests a shared supply chain. Different groups might be sourcing their tools from a central development team, or they might share infrastructure and even personnel. This doesn’t mean UAT-7290 and Red Foxtrot are the same team, but it strongly implies they operate under a similar umbrella with some level of strategic coordination. The use of a self-signed certificate from the Bulbature implant on at least 141 hosts in China and Hong Kong, many of which are tied to other malware families, physically maps out this shared network of malicious infrastructure.
What is your forecast for state-sponsored attacks on global telecommunications infrastructure?
I believe we are going to see these attacks escalate, both in frequency and stealth. Telecommunications infrastructure is the strategic high ground in cyberspace; controlling it offers unparalleled intelligence and disruptive capabilities that states simply cannot ignore. The model used by UAT-7290—gaining persistent access and then leveraging it as a shared resource for other actors—is terrifyingly efficient and will likely be emulated. The focus will remain on long-term, low-and-slow infiltration rather than noisy, destructive attacks. The ultimate goal for these actors isn’t to break things; it’s to become a permanent, invisible ghost in the machine, listening, learning, and waiting.
