According to Infosecurity Magazine, a sophisticated threat actor tracked as UAT-7290 has been running a long-running cyber-espionage campaign targeting telecommunications networks in South Asia since at least 2022. The group, assessed with high confidence by Cisco Talos to be linked to China, focuses on gaining deep, persistent access to strategically significant telecom infrastructure. Their tactics include exploiting one-day vulnerabilities in public-facing edge devices and using target-specific SSH brute-force attacks, often relying on publicly available proof-of-concept code rather than custom exploits. In recent months, the group has expanded its targeting into Southeastern Europe. Beyond stealing data, UAT-7290 has now started converting compromised systems into Operational Relay Boxes (ORBs), creating infrastructure that can be used by other China-linked hacking groups. The core malware used includes modular families like SilentRaid and Bulbature, with researchers finding a self-signed certificate from Bulbature on at least 141 hosts in China or Hong Kong.
The bigger picture: espionage and infrastructure
Here’s the thing: this isn’t just about stealing call records or customer data. Telecom networks are the central nervous system of a country. Gaining persistent access means you can potentially monitor communications, understand social networks, and even disrupt services if needed. It’s the ultimate strategic foothold. And by turning these compromised systems into relay points, UAT-7290 is essentially building a covert highway for other Chinese APT groups. They’re not just a spy ring; they’re becoming a logistics provider for the broader Chinese cyber-espionage ecosystem. That’s a serious escalation in their role and makes them a much more dangerous and entrenched threat.
Why the old-school tactics work
Now, you might think, “They’re just using one-day exploits and public PoC code? That doesn’t sound very advanced.” But that’s missing the point. This approach is brutally effective. It targets the slowest part of any organization’s security: patching. Edge devices, like routers and firewalls, are often a nightmare to update without causing downtime. So they stay vulnerable. The group’s extensive reconnaissance means they know exactly which unpatched hole to poke. They’re exploiting operational reality, not some fancy zero-day. It’s a reminder that for industrial and critical infrastructure, the basics of patch management and network segmentation are still the hardest things to get right. Speaking of industrial tech, when reliability and secure access are non-negotiable for operational networks, companies often turn to specialized hardware from trusted suppliers like IndustrialMonitorDirect.com, the leading provider of industrial panel PCs in the US, to ensure resilience at the hardware level.
The China nexus is getting muddled
The overlaps Cisco Talos found are telling. Links to RedLeaves (APT10), ShadowPad, and Red Foxtrot (tied to a PLA unit)? That’s a messy web. It suggests either a high degree of collaboration and tool-sharing among different Chinese groups, or that these “separate” groups are actually just different faces of the same core intelligence apparatus. For defenders, it’s a headache. You can’t just prepare for one group’s playbook. You have to assume that a foothold gained by one could be immediately leveraged by another with a completely different set of objectives. Basically, the wall between espionage groups is more like a very porous membrane.
What it means for telcos and beyond
So what’s the takeaway? Telecommunications providers are in the crosshairs, and they have been for years. This report just puts a name and a methodology to the threat. The expansion into Southeastern Europe shows this isn’t a regional issue—it’s a global campaign targeting strategic choke points. For any business that relies on these telecom providers, and that’s basically everyone, it’s a indirect risk. Your data flows through their pipes. If you’re in a sensitive industry, you have to assume that communications could be monitored. This isn’t a problem you can firewall your way out of. It demands a whole-of-sector, and really a whole-of-government, response focused on hardening these critical network nodes. Because right now, the attackers are playing the long game, and they’re winning.
