More than a dozen global mobile network providers have been attacked in a successful effort to obtain information on specific subscribers, including call detail records and geolocation information, according to a cybersecurity firm and published reports. Security firm Cybereason, which detailed the mechanisms behind the attack, concluded that it was most likely a state-sponsored attack originating in China.
The attack was part of Operation Soft Cell, which Cybereason described as an “advanced, persistent attack targeting telecommunications providers that has been underway for years.” It has been active since at least 2012 but was identified earlier this year by Cybereason, which said it supported a telecom provider through four more waves of the attack.
According to published reports, the hackers were after specific CDR records of 20 individuals, including military officials, dissidents, spies and law enforcement — but had access to much more information from the hacked telecom companies. Reuters reported that the attackers “compromised companies in more than 30 countries and aimed to gather information on individuals in government, law-enforcement and politics.” The Wall Street Journal reported that Cybereason gave briefings on the hack last weekend to more than two dozen global carriers because of the unique nature of the unprecedented “mass espionage ability to track any person across different countries.”
The attacks “attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more,” Cybereason said in a blog entry on the attack. After obtaining stolen credentials, the firm continued, the hackers abused those credentials to “create rogue, high-privileged domain user accounts which they then used to take malicious action. By creating these accounts, they ensured they would maintain access between different waves of the attack. Once the threat actor regains their foothold, they already have access to a high-privileged domain user account.”
“When you think of large breaches to big organizations, the first thing that comes to mind is usually payment data,” Cybereason noted. “An organization that provides services to a large customer base has a lot of credit card data, bank account information, and more personal data on its systems. These attacks are usually conducted by a cybercrime group looking to make money. In contrast, when a nation state threat actor is attacking a big organization, the end goal is typically not financial, but rather intellectual property or sensitive information about their clients.
“For a nation state threat actor, obtaining access to this data gives them intimate knowledge of any individuals they wish to target on that network. It lets them answer questions like: Who are the individuals talking to? Which devices are the individuals using? Where are the individuals traveling? Having this information becomes particularly valuable when nation-state threat actors are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement,” Cybereason said.
The company cautioned that while it could not reach 100% certainty on attributing the attack, it had a “high level of certainty” that it was a state-sponsored threat actor associated with China.
“Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider. Telecommunications has become critical infrastructure for the majority of world powers. A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network,” Cybereason said. “This attack has widespread implications, not just for individuals, but also for organizations and countries alike. The use of specific tools and the choice to hide ongoing operations for years points to a nation state threat actor, most likely China. This is another form of cyber warfare being used to establish a foothold and gather information undercover until they are ready to strike.”