• Cybersecurity specialist Rapid7 has identified ‘sleeper cells’ embedded in telco systems
• They are being used for ‘sustained espionage’ by a Chinese ‘threat actor’, according to a new Rapid7 report based on a months-long investigation

Telcos are unknowingly harbouring cybercriminal “sleeper cells” that are “designed to remain undetected while providing persistent visibility into subscriber activity, signaling systems, and sensitive communications – enabling ongoing intelligence collection across environments that support government, commercial and critical infrastructure operations,” according to Boston, Massachusetts-based cybersecurity operations specialist Rapid7. 

The company says it undertook a months-long investigation into the “sustained espionage” activity of a “China-nexus threat actor Red Menshen” and has published its findings in a report, BPFdoor in Telecom Networks: Sleeper Cells in the Backbone.

“These ‘sleeper cells’ are designed to remain undetected while providing persistent visibility into subscriber activity, signaling systems and sensitive communications – enabling ongoing intelligence collection across environments that support government, commercial and critical infrastructure operations,” added Rapid7. 

Rapid7 explains that BPFdoor is a “stealth Linux backdoor engineered to operate within the operating system kernel”: It gets its name from Berkeley Packet Filter (BPF) technology, an in-kernel virtual machine technology used in operating systems to filter network packets and monitor system events. “Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels,” notes Rapid7. “Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet. There is no persistent listener or obvious beaconing. The result is a hidden trapdoor embedded within the operating system itself.”

The report highlights a “shift from opportunistic intrusion to deliberate, long-term pre-positioning inside telecommunications networks,” noted the company, which added that modern 4G and 5G networks “rely on complex stacks of signaling systems, containerised network functions [CNFs], and high-performance infrastructure” that, if accessed, “can enable long-term intelligence collection, subscriber monitoring and deep visibility into national communications infrastructure.

Raj Samani, chief scientist at Rapid7, stated: “If you have access to telecommunications infrastructure, you are not just inside one company, you are operating close to the communication layer of entire populations, which makes this type of access highly valuable and elevates detection to a national-level concern. The activity we are seeing continues to evolve in ways that improve stealth and persistence, and organisations should treat detection as the start of investigation, not the end of it,” added Samani. 

Christiaan Beek, VP of cyber intelligence at Rapid7, added: “This is not traditional espionage, it is pre-positioning inside the infrastructure that nations depend on. We are seeing a persistent access model where attackers embed within core communications systems and maintain that access over extended periods.”

The company has highlighted its key findings in this announcement and says it is working with organisations it believes may be affected, though it didn’t identify any that it knows have been infiltrated by sleeper cells. 

In addition, to help companies identify potential BPFdoor activity, Rapid7 has released a free, open-source scanning script that has been “designed to detect both previously documented BPFDoor variants and newer samples, and is available to assist organisations in proactively identifying potential compromises”. 

Rapid7’s report adds to the security concerns facing telcos, which are still dealing with the fallout from Salt Typhoon. The hacking outfit gained notoriety for breaching multiple major US telco networks but, it transpired, is active in multiple countries and targeting companies across multiple industry sectors – see Security agencies team up for Salt Typhoon warning.

- Ray Le Maistre, Editorial Director, TelecomTV