China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes
Summary:
Cisco Talos has identified a sophisticated China-nexus threat actor, designated as UAT-7290, that has been conducting cyber espionage operations since at least 2022. This actor primarily targets telecommunications providers and critical infrastructure entities, initially focusing on South Asia but recently expanding its footprint into Southeastern Europe. UAT-7290 is notable for its "dual-threat" role: it functions both as an espionage-motivated group that burrows deep into target networks and as an initial access provider that builds Operational Relay Box (ORB) networks. These ORB nodes—often comprised of compromised edge devices—are leveraged by other China-linked APTs to mask their malicious traffic, making attribution and detection significantly more difficult for defenders.
The group’s technical repertoire includes a custom Linux-based malware suite—RushDrop, DriveSwitch, and SilentRaid, alongside well-known Windows implants like RedLeaves and ShadowPad. Their entry methods rely heavily on the exploitation of "1-day" vulnerabilities in public-facing edge networking equipment and targeted SSH brute-forcing, following periods of extensive technical reconnaissance.
Security Officer Comments:
The activity of UAT-7290 represents a significant systemic risk to the shared infrastructure organizations rely on. For telecommunications and critical infrastructure providers, the impact is twofold. First, the actor's focus on "burrowing" into network management layers suggests a long-term goal of data exfiltration and maintaining a persistent "kill switch" capability. Second, by converting your edge devices (routers, firewalls, and gateways) into ORB nodes, the adversary effectively turns your own infrastructure into a staging ground for attacks against other sectors. This not only degrades network performance but also places your organization at the center of larger geopolitical cyber-skirmishes, potentially leading to regulatory scrutiny or reputational damage.
The use of 1-day vulnerabilities, exploits for which a patch exists but has not yet been applied, indicates that UAT-7290 is highly efficient at scanning for "low-hanging fruit" in high-value environments. For organizations, this reinforces that the window between a patch release and active exploitation is closing. Furthermore, the overlap with known actors like APT10 and Red Foxtrot (linked to PLA Unit 69010) suggests that UAT-7290 is part of a broader, well-resourced ecosystem focused on strategic dominance over global communications and utility sectors.
Suggested Corrections:
To defend against UAT-7290 and similar China-nexus threat actors, organizations should prioritize the following defensive measures:
https://blog.talosintelligence.com/uat-7290/
Cisco Talos has identified a sophisticated China-nexus threat actor, designated as UAT-7290, that has been conducting cyber espionage operations since at least 2022. This actor primarily targets telecommunications providers and critical infrastructure entities, initially focusing on South Asia but recently expanding its footprint into Southeastern Europe. UAT-7290 is notable for its "dual-threat" role: it functions both as an espionage-motivated group that burrows deep into target networks and as an initial access provider that builds Operational Relay Box (ORB) networks. These ORB nodes—often comprised of compromised edge devices—are leveraged by other China-linked APTs to mask their malicious traffic, making attribution and detection significantly more difficult for defenders.
The group’s technical repertoire includes a custom Linux-based malware suite—RushDrop, DriveSwitch, and SilentRaid, alongside well-known Windows implants like RedLeaves and ShadowPad. Their entry methods rely heavily on the exploitation of "1-day" vulnerabilities in public-facing edge networking equipment and targeted SSH brute-forcing, following periods of extensive technical reconnaissance.
Security Officer Comments:
The activity of UAT-7290 represents a significant systemic risk to the shared infrastructure organizations rely on. For telecommunications and critical infrastructure providers, the impact is twofold. First, the actor's focus on "burrowing" into network management layers suggests a long-term goal of data exfiltration and maintaining a persistent "kill switch" capability. Second, by converting your edge devices (routers, firewalls, and gateways) into ORB nodes, the adversary effectively turns your own infrastructure into a staging ground for attacks against other sectors. This not only degrades network performance but also places your organization at the center of larger geopolitical cyber-skirmishes, potentially leading to regulatory scrutiny or reputational damage.
The use of 1-day vulnerabilities, exploits for which a patch exists but has not yet been applied, indicates that UAT-7290 is highly efficient at scanning for "low-hanging fruit" in high-value environments. For organizations, this reinforces that the window between a patch release and active exploitation is closing. Furthermore, the overlap with known actors like APT10 and Red Foxtrot (linked to PLA Unit 69010) suggests that UAT-7290 is part of a broader, well-resourced ecosystem focused on strategic dominance over global communications and utility sectors.
Suggested Corrections:
To defend against UAT-7290 and similar China-nexus threat actors, organizations should prioritize the following defensive measures:
- Hardening Edge Devices: Given the actor’s reliance on 1-day vulnerabilities, a rigorous patch management lifecycle for edge networking equipment is critical. Vulnerabilities in these devices should be patched within 24–48 hours of release.
- SSH and Credential Security: Implement strict access control lists (ACLs) for SSH management interfaces. Disable password-based authentication in favor of public-key authentication and enforce multi-factor authentication (MFA) for all remote administrative access.
- Linux Malware Detection: Organizations should deploy Endpoint Detection and Response (EDR) solutions that extend visibility into Linux environments. Monitor for the specific behaviors of SilentRaid , such as unusual tar or rm commands executed via busybox and unauthorized reading of /passwd.
- Egress Filtering and ORB Detection: Monitor for "long-tail" connections, rare or unusual outbound traffic from edge devices to unknown IP addresses, which may indicate that a device has been co-opted into an ORB network. Implementing a "Zero Trust" architecture for management planes can help isolate these devices from the core network.
- Threat Hunting: Conduct proactive hunts for indicators of compromise (IOCs) associated with RedLeaves and ShadowPad, as these are frequent precursors to deeper network penetration by this actor.
https://blog.talosintelligence.com/uat-7290/