Chinese Hackers Linked to Global Attacks on Telcos

Security researchers on Monday reported that Chinese hackers are the likely perpetrators of a series of cyberattacks against telecommunications companies around the world.

The campaign, dubbed “Operation Soft Cell,” has been active since 2012, according to Cybereason, an endpoint security company based in Boston.

There is some evidence suggesting even earlier activity against the telecommunications providers, all of whom were outside North America, the researchers said.

The attackers attempted to steal all data stored in the active directory servers of the organizations, including all usernames and passwords in the companies, as well as other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more, according to the report.

Based on the tools used in the attacks, such as PoisonIvy RAT, and the tactics, techniques and procedures deployed by the attackers, the campaign likely was run by APT10, a notorious group of Chinese hackers, the researchers pointed out.

The U.S. Justice Department last year indicted two members of APT10 for conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft.

There is some solid evidence APT10 was behind the attacks, such as the way they customized PoisonIvy and the idiosyncratic bread crumbs they left behind, said Sam Curry, chief security officer at Cybereason.

“The way the customization is done, the way they write the scripts, is the sort of thing we’ve seen time and again,” he told TechNewsWorld. “There’s a high probability that it’s a Chinese hacker.”

Alarming Attack

The hackers attacked organizations in waves launched over a period of months, the report notes. During that time, they were able to map the target networks and compromise credentials. That enabled them to compromise critical assets — such as production and database servers, and even domain controllers.

“Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider,” the report states.”Telecommunications has become critical infrastructure for the majority of world powers. A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network.”

The attack has widespread implications — not just for individuals, but also for organizations and countries alike, the Cybereason researchers said.

“The use of specific tools and the choice to hide ongoing operations for years points to a nation state threat actor, most likely China,” they wrote. “This is another form of cyber warfare being used to establish a foothold and gather information undercover until they are ready to strike.”

There are similarities between Operation Soft Cell and another telecom attack, suggested Lavi Lazarovitz, a cyber research group manager at CyberArk Labs, an information security company based in Newton, Massachusetts.

“This widespread attack on telecommunications companies has similar characteristics to Operation Socialist,” he told TechNewsWorld.

Operation Socialist — a CIA and British GCHQ campaign revealed by Edward Snowden — attempted to take control of the Belgian telecommunications company Belgacom.

“It leverages privileged accounts and probably shadow admins to allow persistency and control,” Lazarovitz said.

Useful Information

Information reaped by campaigns like Operation Soft Cell can be invaluable to a foreign intelligence service, noted Jonathan Tanner, a senior security researcher at Barracuda Networks, based in Campbell, California.

“Tracking a target’s daily routines alone can be useful for a number of motivations, ranging from enumerating contacts to asset recruitment, to abduction or assassination,” he told TechNewsWorld.

That sort of work traditionally is carried out by surveillance teams, but with technology it’s becoming increasingly easy to gain that information by other means with significantly less manpower, Tanner explained.

“The irony with this breach is that many carriers actually sell this data anyway, through third parties such as Zumigo, who then resell it without checking into their buyers backgrounds,” he said.

Stolen data from telcoms can be valuable to more than just Chinese intelligence agencies.

“This type of attack would greatly help Huawei in their fight to control as much of the 5G space as possible,” said Jonathan Olivera, a threat analyst for Centripetal Networks, a network security company in Herdon, Virginia.

“When a country like China relies on surveillance and intellectual property theft to keep its momentum going, it will be hard to stop and prevent expansion,” he told TechNewsWorld.

Familiar Playbook

The breadth and persistence of the attacks aren’t the only discouraging characteristics of Operation Soft Cell.

“This plays out like every other hack that we’ve heard about in a major organization for years and years and years,” said Chet Wisniewski, principal research scientist at Sophos, a network security and threat management company based in the UK.

“It’s clear that these big companies are not taking this stuff seriously enough, especially the ones that have sensitive information about us. The giant role these companies play in our lives demands that they take security more seriously,” he told TechNewsWorld.

“The stuff that these guys did was stuff any skilled pen tester would do,” Wisniewski said.

“The attacks didn’t have any super secret stuff. There were no new zero-day vulnerabilities here — no new tools that no one had ever heard of before. All the stuff was off the shelf. I could teach a college student to how to use it in a semester,” he said.

“We know this playbook,” Wisniewski added, “and big companies should be able to defend against it.”

Cold War in Cyberspace

Campaigns like Operation Soft Cell are likely to continue without abatement, noted Satya Gupta, CTO of Virsec, an applications security company in San Jose, California.

“These attacks will continue for the foreseeable future, as long as there is political tension and unrest in any number of regions,” he told TechNewsWorld. “Infrastructure attacks on all sides are trying to sow uncertainty, which has both political and financial value to the perpetrators.”

As for China, it seems content with economic espionage, for the most part, but that could change in the future, too.

“As long as we’re involved in trade wars, I’m not as worried as if China starts to feel threatened about its sphere of influence,” said Richard Stiennon, chief research analyst at IT Harvest, an industry analyst firm in Birmingham, Michigan.

“If it’s trade wars, China’s target of interest will be the same as it’s always been: economic espionage. If it’s sphere-of-influence stuff, then the targets of interest could escalate dramatically,” he told TechNewsWorld.

“We are essentially in a cyber cold war, and many of the same factors still apply regarding escalation of hostilities and the overall desire to avoid an actual war as a result of ongoing activities,” Barracuda’s Tanner added. “Countries will continue to push the boundaries, but a major increase in attacks runs the risk of being seen as an act of war, which no country wants.”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reportersince 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, theBoston Phoenix, Megapixel.Net and GovernmentSecurity News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels