UAT-7290 is an advanced persistent threat group linked to China, active since 2022, focusing on high-value telecommunications infrastructure primarily in South Asia, with recent expansion into Southeastern Europe. The group uses a diverse malware arsenal including RushDrop, DriveSwitch, SilentRaid, and Bulbature, which predominantly target Linux-based systems but also include Windows implants. Their intrusion process begins with extensive reconnaissance to identify vulnerable edge devices, followed by exploitation of one-day vulnerabilities and SSH brute force attacks to gain initial access. Once inside, UAT-7290 deploys sophisticated malware to maintain persistence, conduct espionage, and potentially establish Operational Relay Boxes that serve as infrastructure for other China-nexus actors. The malware families used incorporate techniques such as credential dumping, code injection, and lateral movement, leveraging tactics mapped to MITRE ATT&CK techniques like T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), and T1110 (Brute Force). The group’s focus on telecommunications infrastructure indicates strategic intent to access sensitive communications and network operations data. Although no known exploits are currently in the wild for their one-day vulnerabilities, the threat actor’s capability to conduct SSH brute force and reconnaissance increases the attack surface. The medium severity rating reflects the threat’s espionage focus, moderate ease of exploitation, and potential for significant impact on confidentiality and integrity of critical infrastructure systems.

For European organizations, particularly telecommunications providers and critical infrastructure operators in Southeastern Europe, UAT-7290 represents a significant espionage and operational risk. Compromise of edge devices can lead to unauthorized access to sensitive communications data, disruption of network services, and potential use of compromised infrastructure as a relay for further attacks by China-nexus actors. The confidentiality of customer and operational data is at risk, as is the integrity of network management systems. Disruptions could affect service availability indirectly through sabotage or manipulation of network components. The threat actor’s ability to establish Operational Relay Boxes in Europe could facilitate broader regional espionage campaigns, increasing the risk to national security and critical communications infrastructure. Given the strategic importance of telecommunications in Europe’s digital economy and security, successful intrusions could have cascading effects on government, commercial, and civilian sectors. The medium severity rating suggests that while the threat is serious, it requires targeted defenses and monitoring to mitigate effectively.

1. Implement strict SSH access controls: disable password authentication in favor of key-based authentication, enforce multi-factor authentication (MFA) for remote access, and limit SSH access to trusted IP addresses. 2. Conduct continuous network segmentation to isolate edge devices and critical infrastructure components, reducing lateral movement opportunities. 3. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting known malware hashes and behavioral indicators associated with UAT-7290’s malware families. 4. Monitor network traffic for reconnaissance activities such as unusual scanning, brute force attempts, and exploitation attempts targeting one-day vulnerabilities. 5. Maintain an up-to-date inventory of edge devices and ensure timely patching of known vulnerabilities, especially those related to public-facing applications and network services. 6. Establish threat hunting programs focused on detecting Operational Relay Box infrastructure and lateral movement techniques used by China-nexus actors. 7. Collaborate with national cybersecurity centers and share threat intelligence to improve detection and response capabilities against this actor. 8. Harden Linux systems by disabling unnecessary services, applying security configurations, and auditing user privileges regularly. 9. Prepare incident response plans specific to telecommunications infrastructure compromise scenarios, including containment and eradication procedures. 10. Utilize threat intelligence feeds to update detection signatures and indicators of compromise (IOCs) such as the provided malware hashes.