Approximately six months before the 2022 FIFA World Cup soccer tournament in Qatar, a threat actor, later identified as China-linked BlackTech, silently breached the network of a major gaming communications provider and installed malware on a critical system that stored network device configurations.
The breach wasn’t detected until six months after the games, when NetWitness researchers spotted it during a routine check for the service provider. During this period the cyberespionage group collected an unknown amount of data from targeted customers of the telecom operator, including those related to the World Cup and service providers for it.
A near accident
But it’s the “what else could have happened” that’s really scary, says Stefano Maccaglia, global practice manager, incident response, at NetWitness, recently discussing the incident for the first time with Dark Reading.
BlackTech’s access to the telecom provider’s system would have allowed the threat actor to completely disrupt key communications, including all streaming services associated with the game. The consequences of such an upheaval would have been substantial in terms of geopolitical implications, brand damage, national reputation and potentially hundreds of millions of dollars in losses from licensing and advertising rights negotiated before the World Cup, Maccaglia says.
“Normally we are very controlled, but in this case we were terrified,” Maccaglia says of the NetWitness discovery. “The threat actor literally had his finger on the button but he didn’t press it.”
NetWitness’s involvement in the Qatar World Cup began in 2022, approximately six months before the event, when several local service providers engaged the company to assess the cybersecurity readiness of some of the supporting IT infrastructure for games. Like other security vendors involved in the initiative, the telecom provider gave NetWitness access to a substantial portion of its technology stack and environment, but not all of it.
According to Maccaglia, the NetWitness team detected and fixed several issues across parts of the provider’s technology stack to which the company had access. But it wasn’t until early 2023 that the service provider finally opened up the rest of the environment to NetWitness for further audits. That’s when NetWitness discovered log activity that suggested someone had gained access to the provider’s network.
A rootkit and a backdoor
The company’s subsequent investigations showed that the attacker had installed a sophisticated rootkit and a backdoor, nicknamed Waterbear, on a critical configuration management database (CMDB) that stored device configurations for the provider’s customers. NetWitness discovered that the attackers had used PLEAD, a remote access trojan commonly associated with the BlackTech APT, to target additional systems within the environment.
“The attacker aimed to control this database [from] from the beginning, because it would allow him to swap configurations on the fly and restore them, once finished, without leaving any traces,” says Maccaglia.
BlackTech is a threat actor that the US Cybersecurity and Infrastructure Security Agency (CISA) last year identified as a threat to organizations in the telecommunications, technology, media, electronics and industrial sectors. In an advisory, CISA described the threat actor (aka Radio Panda, Circuit Panda, Temp.Overboard, and Palmerworm) as particularly adept at modifying router malware without being detected and exploiting router domain-trust relationships to gain access to victim networks. “BlackTech actors’ TTPs include the development of custom malware and bespoke persistence mechanisms to compromise routers,” CISA noted. “These TTPs allow actors to disable logging and abuse trusted domain relationships to rotate between international branch and national headquarters networks.”
In the attack on the telecommunications operator in Qatar, BlackTech actors used their access to the CMDB to modify the configurations of the Asus routers of several organizations in such a way as to make these organizations’ systems accessible via the Internet. They then loaded PLEAD, hidden in legitimate-looking software updates from Asus, onto these systems by changing the DNS resolution of asus.com. The threat actor then leveraged PLEAD to steal data from victim organizations. Systems infected in this way also include those linked to World Cup matches. Attackers would change the router’s configuration details for a few hours at a time and then revert to the original rules to minimize the chances of detection, Maccaglia says.
Worrying lack of visibility
The fact that no one could spot the intrusion in the months before the World Cup, during the event or in the months after is worrying, Maccaglia says. With the countdown to the 2024 Summer Olympics now underway, it is imperative that the entire technology stack supporting the games is checked for security issues, he says.
The Olympics, like other major sporting events, such as the Super Bowl, have become huge targets of cyber attacks in recent years. In 2019, for example, a threat group subsequently identified and linked to Russian military intelligence he also attempted to stop the opening of the Winter Olympics in South Korea after Russian athletes were banned from participating due to doping concerns.
“As we saw with the World Cup, threats can live in dark places and keep a very low profile,” says Maccaglia, adding: “You can’t find what you’re not allowed to look for,” advocating for broader visibility. for companies like NetWitness across the entire gaming support infrastructure.
“When you behave as if there is always a threat present, you put yourself in a position to mitigate harm and potentially get ahead of the threat in the environment,” he says. “This will be critical for the 2024 Summer Games.”