The UAT-7290 threat actor, linked to China, has been conducting espionage-focused cyber intrusions since at least 2022, primarily targeting telecommunications providers in South Asia and more recently organizations in Southeastern Europe. Their operations begin with extensive technical reconnaissance to map target networks and identify vulnerabilities. They exploit one-day vulnerabilities in popular edge networking devices and use targeted SSH brute force attacks to gain initial access, relying on publicly available proof-of-concept exploit code rather than developing zero-days. Once inside, UAT-7290 deploys a Linux-based malware suite consisting of RushDrop (a dropper initiating infection), DriveSwitch (a peripheral malware), and SilentRaid (a modular C++ implant providing persistent access and remote control capabilities such as shell access, port forwarding, file management, and keylogging). Additionally, they deploy Bulbature, a backdoor designed to convert compromised edge devices into Operational Relay Box (ORB) nodes, which serve as relay points potentially used by other China-linked threat actors, indicating UAT-7290’s dual role as both an espionage actor and an initial access provider. The malware’s modularity and use of open-source and custom tools demonstrate a sophisticated tradecraft. The group also uses Windows implants like RedLeaves and ShadowPad, further expanding their toolkit. The targeting of telecom infrastructure is strategic, as it provides access to critical communications networks and data flows. The threat actor’s activity is tracked by multiple cybersecurity firms under different names, highlighting its significance and persistence. Despite the medium severity rating, the threat’s ability to establish deep network footholds and facilitate espionage operations makes it a notable risk for affected sectors.

For European organizations, particularly telecommunications providers and critical infrastructure operators in Southeastern Europe, UAT-7290’s activities pose significant risks to confidentiality, integrity, and availability of network systems. Compromise of telecom edge devices can lead to interception of sensitive communications, disruption of services, and unauthorized access to internal networks. The deployment of ORB nodes extends the threat’s reach by enabling other malicious actors to leverage compromised infrastructure for further attacks, increasing the attack surface and complicating incident response. Espionage activities may result in theft of intellectual property, strategic communications, and sensitive operational data, undermining national security and competitive advantage. The use of one-day exploits and brute force attacks on SSH services indicates that even well-maintained systems could be vulnerable if patches are delayed or weak credentials are used. The modular malware’s capabilities for remote control and data exfiltration increase the potential for long-term undetected presence within networks. This threat could also impact supply chain security if telecom providers serve as intermediaries for other critical sectors. Overall, the threat could disrupt telecommunications services, compromise user privacy, and facilitate broader cyber espionage campaigns within Europe.

European organizations should implement a multi-layered defense strategy focused on hardening edge networking devices and telecom infrastructure. Specific measures include: 1) Immediate patching and updating of all edge devices and network equipment to address known one-day vulnerabilities, prioritizing devices exposed to the internet. 2) Enforce strong SSH access controls by disabling password authentication in favor of key-based authentication, implementing rate limiting, and monitoring for brute force attempts. 3) Deploy network segmentation to isolate critical telecom infrastructure from general enterprise networks, limiting lateral movement opportunities. 4) Utilize advanced endpoint detection and response (EDR) solutions capable of identifying Linux-based malware behaviors such as unusual shell activity, port forwarding, and file operations. 5) Monitor network traffic for anomalies indicative of ORB node activity, including unexpected proxying or relay behaviors. 6) Conduct regular threat hunting exercises focusing on indicators of compromise related to UAT-7290’s known malware families (RushDrop, DriveSwitch, SilentRaid, Bulbature). 7) Implement strict credential management policies, including multi-factor authentication for administrative access to network devices. 8) Collaborate with national cybersecurity centers and telecom regulators to share threat intelligence and coordinate responses. 9) Employ deception technologies to detect reconnaissance and lateral movement attempts early. 10) Train security teams on the specific TTPs of UAT-7290 and related China-linked actors to improve detection and response capabilities.