A Chinese-linked operation has been found to be stealing sensitive call data, including identifiable information by breaching into telecommunication network in order to gain espionage intelligence on high-value targets, a report reveals.
The operation, called Operation Soft Cell, was discovered by the cybersecurity research firm Cybereason and was said to have been operating since 2012 – which makes a total of seven years of hacking into telecom systems and networks from different countries around the world. Furthermore, researchers have also found evidence that the operations have been attacking cell networks a few years before 2012.
A state-sponsored operation
Researchers have linked the operation to a China-based hacking group APT10 as the tools, and TTPs used in the attacks are commonly associated with the Chinese threat actor. They also believed that the said attacks are state-sponsored and highly coordinated.
“We’ve concluded with a high level of certainty that the threat actor is affiliated with China and is likely state-sponsored. The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS),” the researchers said in the report.
The attacks, as per the tech experts, were aimed to obtain CDR records of a large telecommunications provider. The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.
Modifying attacks wave after wave to prevent being linked
And the attackers have been evolving, changing their techniques now and then to prevent the attacks from being linked to each other.
“During the persistent attack, the attackers worked in waves- abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques.”
The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. The hackers attempted to compromise critical assets, such as database servers, billing servers, and the active directory. As the malicious activity was detected and remediated against, the threat actor stopped the attack.
The second wave of the attack hit several months later with similar infiltration attempts, along with a modified version of the web shell and surveillance activities. This cycle is said to continue, with the attackers and white hats play a game of cat and mouse. Every time white hats corner the attackers, they stop and return with a modified attack a few more times in the next four months.
Espionage is the primary motivation
According to the researchers, they can pinpoint several motives behind this massive cyberspace intrusion. They said that as hacking operations become one of the newest frontiers of global power struggle, institutions that store a vast amount of data started to become the target. And telecommunication corporations became one of the most vulnerable sectors.
“Due to their wide availability and the fundamental service they bring, telecommunications providers have become critical infrastructure for the majority of world powers,” they wrote in the report.
“Threat actors, especially those at the level of nation state, are seeking opportunities to attack these organizations, conducting elaborate, advanced operations to gain leverage, seize strategic assets, and collect information. When successful, these attacks often have huge implications.”
Furthermore, the researchers said that when an attack as big as this and with state support, the motive is usually not financial but instead, they aim to collect data like intellectual property and sensitive information about their clients.
One of the most valuable pieces of data that telecommunications providers hold is Call Detail Records (CDRs). CDRs are a large subset of metadata that contains all details about calls, including Source, Destination, and Duration of a Call, Device Details, Physical Location, Device Vendor, and Version.
This information is invaluable for threat actors as they give them intimate knowledge of any individuals they wish to target on that network. Having this information becomes particularly valuable when nation-state threat actors are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement.
“Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider. Telecommunications has become critical infrastructure for the majority of world powers. A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network,” they added.