June 26, 2019 By Pierluigi Paganini
Operation Soft Cell – Experts at Cybereason discovered that China-linked hackers have breached numerous telco providers controlling their networks.
Researchers at Cybereason uncovered an ongoing long-running espionage campaign, tracked as Operation Soft Cell, that targets telco providers. Tactics, techniques, and procedures, and the type of targets suggest the involvement of a nation-state actor likely linked to Chinese APT10.
Once compromised the networks of telecommunication companies, attackers can access to mobile phone users’ call data records.
“Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers. The attack was aiming to obtain CDR records of a large telecommunications provider.” reads the report published by Cybereason.
“The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”
According to Amit Serper, head of security research at Cybereason, attackers exfiltrated gigabytes of data from the target networks, but always in relatively smaller amounts to remain under the radar.
Experts explained that attackers did not exfiltrate the entire archives of the telco companies, instead, they accessed to the data by querying the systems from within the target network.
Attack scenario sees hackers planting a malicious web shell on an IIS server, identified as a modified version of the China Chopper web shell, that was used to run reconnaissance commands, steal credentials, and deploy other hacking tools.
Then attackers launched a series of reconnaissance commands to gather information about the target infrastructure (i.e. machines within the network, network architecture, users, and active directory enumeration).
Hackers also used a modified version of Nbtscan to determine the availability of NetBIOS name servers locally or over the network. The attackers also used multiple Windows built-in tools (i.e. whoami, net.exe, ipconfig, netstat, portqry) and WMI and PowerShel commands.
The threat actors also used Poison Ivy RAT to maintain long-term access across the compromised network, and a modified version of Mimikatz to dump credentials. WMI and PsExec were used by the hackers for lateral movement, while Winrar was used to compress and password-protect stolen data, and a modified version of hTran was used to exfiltrate the data.
Experts believe that hundreds of millions of mobile phone users around the world have been affected, including foreign intelligence agents, politicians, opposition candidates for espionage.
“Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider. Telecommunications has become critical infrastructure for the majority of world powers. A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network.” concludes the analysis.
“This attack has widespread implications, not just for individuals, but also for organizations and countries alike.”