These hackers broke into 10 telecoms companies to steal customers' phone records

Researchers at Cybereason say a nation-state-backed intelligence operation has compromised at least 10 global telco companies - to such an extent the attackers run a "de facto shadow IT department".
Written by Danny Palmer, Senior Writer

A nation-state-backed hacking operation of Chinese origin has been targeting global telecommunications providers for a number of years, with cyber attackers gaining access to call data records, the geolocation of users and other information about hundreds of millions of people.

The campaign is thought to have impacted at least ten telecommunications operators around the world and has been uncovered by security researchers at Cybereason after they began investigating suspicious activity on a customer's network last year.

"Someone was actually active in the network, going from computer to computer stealing credentials and siphoning out what can only be described as an insane amount of data – hundreds of gigabytes of data," Amit Serper, principal security researcher at Cybereason told ZDNet.

SEE: 10 tips for new cybersecurity pros (free PDF)

The hacking campaign – dubbed Operation Soft Cell – had compromised the IT infrastructure of the investigated target to such an extent that Serper described them as the "de facto shadow IT department of the company". The attackers had even set up their own VPN and at least ten different accounts with administrator privileges, providing access to vast swathes of data and potentially the ability to shut off the network.

Affected targets have been identified in Europe, Africa, the Middle East and Asia, and it's believed the campaign has been active since at least 2017 – if not before.

However, despite having the networks of telecommunications providers around the globe in their hands, the attackers appear to be focused on gaining access to information about specific individuals who researchers describe as high-value targets. About 20 likely targets have been identified since Cybereason first began the investigation.

That information is metadata related to who they're calling, the time and duration of calls, along with information about who they're texting and when. The metadata also provides attackers with the ability to track the user, because their geolocation is revealed by the cellular towers they connect to during the day.

All of this information can be gathered directly from the telecommunications provider and without the need to compromise the user's phone with malware in what Serper described as an intelligence and surveillance operation.

"This is basically attacking without hacking – they're attacking the telcos for strategic assets. It's an access operation: they want to gain access to a never-ending fountain of intelligence and data. And they can do it all without touching the victim's phone," he said.

Cybereason believes that there is a "high level of certainty that the threat actor behind Soft Cell is state-sponsored and that the group is affiliated with China, with the operation likely linked to the Chinese hacking group APT10.

One of the key reasons behind this conclusion is that the initial compromise is based around a modified version of the China Chopper web shell – a backdoor that enables attackers to take over entire systems, which has been used in previous China-backed campaigns. While researchers can't completely rule out a non-Chinese attack group copying APT10, they think it unlikely.

Once inside the network Soft Cell goes out of the way to stay under the radar as it collects information about the network, compromising usernames passwords with the aid of a modified version of Mimikatz and allowing lateral movement around the target and access whenever they please.

Researchers also found evidence that a second method was used by attackers to quietly maintain access to compromised assets – the deployment of the PoisonIvy Remote Access Trojan. PoisonIvy is long associated with Chinese threat actors and as well as stealing credentials and screenshots, it also contains keylogging and other surveillance features which allow the attackers to maintain persistence in the network.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

So far, the campaign has been entirely focused on stealing call data records, but with the amount of control it's thought the hackers have over compromised networks, there's the potential that they could engage a far more wide-ranging and more damagining attack.

"They've owned the network and can do what they want. If they wanted to, they could shut the network down. That's what I'm worried about, because cellular networks are critical infrastructure nowadays," said Serper.

Cybereason is working alongside a number of global telecommunications firms in an effort to counter the threat – and it's believed that the hacking operation has infiltrated the networks of additional telco providers on top of the ten that are currently known to have been impacted.

"This is a global campaign – and it's still going, we still see activity across the world. This is far from over," said Serper.

"It should be a wakeup call for everyone – for providers who have all this metadata. And it should be a wakeup call for us, the consumers to demand better action from providers," he added.


Editorial standards