China-Linked Hackers Target South American Telecoms with TernDoor, PeerTime, BruteEntry
Executive Summary
Since 2024, a China-linked advanced persistent threat (APT) group, identified as UAT-9244, has been targeting critical telecommunications infrastructure in South America. The attackers have deployed three previously undocumented malware implants: TernDoor, a Windows backdoor; PeerTime, a Linux-based peer-to-peer backdoor; and BruteEntry, a brute-force scanner installed on network edge devices. These tools enable the threat actors to gain persistent access, execute arbitrary commands, and expand their reach within compromised networks. (blog.talosintelligence.com)
This campaign underscores the evolving tactics of state-sponsored cyber espionage groups, highlighting the need for robust security measures in the telecommunications sector. The use of diverse malware targeting multiple platforms indicates a sophisticated approach to infiltrating and maintaining access to critical infrastructure. (blog.talosintelligence.com)
Why This Matters Now
The emergence of UAT-9244's campaign highlights the increasing sophistication of state-sponsored cyber threats targeting critical infrastructure. Telecommunications providers must enhance their security postures to defend against such multifaceted attacks. (blog.talosintelligence.com)
Attack Path Analysis
The UAT-9244 group initiated their attack by exploiting vulnerabilities in outdated Windows Server and Microsoft Exchange systems to gain initial access. They then escalated privileges by deploying TernDoor, a backdoor that establishes persistence through scheduled tasks and registry modifications. Utilizing PeerTime, a Linux-based backdoor, they moved laterally across various architectures, including embedded systems. Command and control were maintained via PeerTime's use of the BitTorrent protocol and TernDoor's C2 communications. Data exfiltration was facilitated through these backdoors, allowing the attackers to collect and transmit sensitive information. The impact of the attack included unauthorized access to critical telecommunications infrastructure, leading to potential data breaches and service disruptions.
Kill Chain Progression
Initial Compromise
Description
Exploited vulnerabilities in outdated Windows Server and Microsoft Exchange systems to gain initial access.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
DLL Side-Loading
Create or Modify System Process: Windows Service
Valid Accounts
Brute Force: Password Guessing
Lateral Tool Transfer
Proxy: Internal Proxy
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication (MFA) for All Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.7
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Identity Governance
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Primary target of China-linked APT campaign using TernDoor, PeerTime, BruteEntry implants against critical infrastructure requiring enhanced east-west traffic security and encrypted communications.
Information Technology/IT
High risk from multi-platform malware targeting Windows/Linux systems and edge devices, demanding zero trust segmentation and multicloud visibility controls for infrastructure protection.
Government Administration
Critical infrastructure espionage threats require immediate implementation of egress security policies and threat detection capabilities to prevent data exfiltration and lateral movement.
Computer/Network Security
Essential sector for deploying inline IPS, cloud firewall solutions, and Kubernetes security measures to defend against sophisticated APT campaigns targeting telecommunications infrastructure.
Sources
- China-Linked Hackers Use TernDoor, PeerTime, BruteEntry in South American Telecom Attackshttps://thehackernews.com/2026/03/china-linked-hackers-use-terndoor.htmlVerified
- UAT-9244 targets South American telecommunication providers with three new malware implantshttps://blog.talosintelligence.com/uat-9244/Verified
- China-Nexus Hackers Attacking Telecommunication Providers With New Malwarehttps://cybersecuritynews.com/china-nexus-hackers-attacking-telecommunication/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, maintain command and control, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in outdated systems would likely be constrained, reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and establish persistence would likely be constrained, limiting their control over compromised systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement across different systems would likely be constrained, reducing the spread of the attack.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain command and control channels would likely be constrained, disrupting their communication with compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data breaches.
The attacker's ability to cause significant damage to critical infrastructure would likely be constrained, reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- Network Operations
- Customer Data Management
- Service Provisioning
- Billing Systems
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of customer personal information, call records, and internal operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access to critical systems.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic, detecting unauthorized movements.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network activities across all environments.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration and control outbound communications.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
