Executive Summary
In January 2026, a sophisticated cyber-espionage campaign attributed to China-linked group UAT-7290 targeted telecommunications providers across South Asia and Southeastern Europe. The threat actors exploited known vulnerabilities in edge network devices using one-day exploits and targeted SSH brute-forcing for initial access, quickly escalating privileges and deploying Linux-based malware such as RushDrop, DriveSwitch, SilentRaid, and Bulbature. Their activities included extensive reconnaissance, persistent backdoor deployment, and converting compromised servers into operational relay boxes for further attacks, causing significant risk to sensitive communications infrastructure.
This incident highlights escalating threats to critical telecom sectors, as state-affiliated actors increasingly leverage public exploits and shared toolkits for multi-layered attacks. Such breaches underscore urgent needs for proactive edge device security and improved lateral movement detection strategies amid rising geopolitical cyber operations.
Why This Matters Now
Telecom infrastructure remains a key strategic target for nation-state actors, with China-aligned groups innovating in the exploitation of edge devices. The use of one-day exploits and fast-moving malware campaigns increases the urgency for organizations to bolster security controls around public-facing systems and adopt advanced anomaly detection technologies.
Attack Path Analysis
The attackers performed extensive reconnaissance and compromised public-facing edge devices via known vulnerabilities and SSH brute forcing. Upon access, they escalated privileges to establish persistence with custom Linux malware and escalate control over the host. The adversaries then moved laterally through the network to additional systems, converting some into operational relay boxes and leveraging plugins for wider impact. They established command and control with remote shell access and C2 rotation using custom malware and embedded TLS, maintaining covert communication with their infrastructure. Sensitive data and credentials were exfiltrated through encrypted channels and port forwarding. The impact included persistent espionage capabilities, backdoor deployment, and risk of further disruptive or destructive actions by allied threat actors.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited known flaws in edge network devices and used SSH brute forcing to gain initial foothold into public-facing systems.
Related CVEs
CVE-2023-2374
CVSS 9.8A command injection vulnerability in the Web Management Interface of Ubiquiti EdgeRouter X up to version 2.0.9-hotfix.6 allows remote attackers to execute arbitrary commands via the 'ecn-down' parameter.
Affected Products:
Ubiquiti EdgeRouter X – <= 2.0.9-hotfix.6
Exploit Status:
exploited in the wildCVE-2023-2373
CVSS 9.8A command injection vulnerability in the Web Management Interface of Ubiquiti EdgeRouter X up to version 2.0.9-hotfix.6 allows remote attackers to execute arbitrary commands via the 'ecn-up' parameter.
Affected Products:
Ubiquiti EdgeRouter X – <= 2.0.9-hotfix.6
Exploit Status:
exploited in the wildCVE-2023-2378
CVSS 9.8A command injection vulnerability in the Web Management Interface of Ubiquiti EdgeRouter X up to version 2.0.9-hotfix.6 allows remote attackers to execute arbitrary commands via the 'suffix-rate-up' parameter.
Affected Products:
Ubiquiti EdgeRouter X – <= 2.0.9-hotfix.6
Exploit Status:
exploited in the wildCVE-2022-40147
CVSS 7.4Improper certificate validation in Siemens Industrial Edge Management versions prior to 1.5.1 allows remote attackers to spoof trusted entities by interfering in the communication path.
Affected Products:
Siemens Industrial Edge Management – < 1.5.1
Exploit Status:
proof of conceptCVE-2021-37184
CVSS 9.8Authorization bypass through user-controlled key in Siemens Industrial Edge Management versions prior to 1.3 allows unauthenticated attackers to change user passwords and impersonate valid users.
Affected Products:
Siemens Industrial Edge Management – < 1.3
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Preliminary ATT&CK mapping for SEO/filtering purposes. Full enrichment with extensions and STIX/TAXII data can be added later.
Exploit Public-Facing Application
Brute Force: Password Guessing
Command and Scripting Interpreter
Event Triggered Execution
Valid Accounts
Archive Collected Data
Exfiltration Over C2 Channel
Non-Standard Port
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Application Security
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Identity and Authentication
Control ID: Identity: Authentication and Authorization
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Primary target of UAT-7290 China-linked cyber espionage campaigns exploiting edge devices, requiring encrypted traffic protection and zero trust segmentation capabilities.
Government Administration
Critical infrastructure vulnerable to state-sponsored espionage through telecommunications breaches, necessitating enhanced threat detection and secure hybrid connectivity for sensitive operations.
Utilities
Network infrastructure susceptible to edge device exploitation and lateral movement attacks, requiring multicloud visibility and egress security policy enforcement mechanisms.
Defense/Space
High-value espionage target through telecommunications supply chain compromises, demanding inline IPS protection and cloud native security fabric for classified communications.
Sources
- New China-linked hackers breach telcos using edge device exploitshttps://www.bleepingcomputer.com/news/security/new-china-linked-hackers-breach-telcos-using-edge-device-exploits/Verified
- APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routershttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108Verified
- Siemens Industrial Edge Managementhttps://www.cisa.gov/news-events/ics-advisories/icsa-22-286-02Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, egress enforcement, inline inspection, and enhanced visibility would have constrained attacker lateral movement, detected anomalous behaviors, and prevented exfiltration channels throughout the kill chain.
Control: Cloud Firewall (ACF)
Mitigation: Blocks unauthorized inbound attempts on vulnerable services.
Control: Threat Detection & Anomaly Response
Mitigation: Detects and alerts on unauthorized privilege escalation and persistence events.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized lateral movement between workloads and sensitive segments.
Control: Inline IPS (Suricata)
Mitigation: Detects and/or blocks known C2 patterns, suspicious reverse shell traffic, and signatures.
Control: Egress Security & Policy Enforcement
Mitigation: Stops unauthorized outbound connections and data flows to malicious or non-sanctioned endpoints.
Reduces dwell time and long-term persistence through consolidated monitoring and correlation.
Impact at a Glance
Affected Business Functions
- Network Operations
- Customer Data Management
Estimated downtime: 5 days
Estimated loss: $1,000,000
Potential exposure of sensitive customer data, including personal identifiable information and communication records.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust segmentation and microsegmentation to strictly control east-west workload traffic and limit lateral movement.
- • Enforce granular egress filtering and outbound policy controls to prevent unauthorized data exfiltration and C2 communication.
- • Implement continuous threat detection and anomaly monitoring across network and workload layers to catch malware activity early.
- • Harden cloud edge devices with robust perimeter controls, including cloud-native firewalls and inline IPS for exploit blocking.
- • Centralize network visibility, event correlation, and incident response to rapidly uncover and remediate persistent attacker footholds.
