The security firm Cybereason says that it has identified a likely state-sponsored attack on ten global mobile phone networks that they have attributed to “the Chinese-affiliated threat actor APT10,” which has been “underway for years.”
According to Cybereason, the attackers had the run of the carriers’ network and used it to exfiltrate mountains of data (“hundreds of gigabytes”) on at least 20 individuals, including who they called, where they went, and which devices they used. The attacks are believed to have started before 2017.
Cybereason declined to name the affected networks or the attackers’ targets but confirmed that they were not based in North America.
Carriers retain call records for many purposes, including billing and billing disputes. Some carriers in lax regulatory environments collect and retain extra data to use in marketing or to sell to marketing brokers, while others operate in high regulatory environments where law enforcement demands that they collect and retain extra data for use in domestic surveillance.
Any data that is collected is liable to leak. Any data that is retained is certain to leak.
Last year, we identified a threat actor that has been operating in telecommunications provider environments for at least two years. We performed a post-incident review of the attacks and were able to identify changes in the attack patterns along with new activity every quarter.
The threat actor mainly sought to obtain CDR data (call logs, cell tower locations, etc.) belonging to specific individuals from various countries. This type of targeted cyber espionage is usually the work of nation state threat actors.
We’ve concluded with a high level of certainty that the threat actor is affiliated with China and is likely state sponsored. The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS).
The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. The threat actor attempted to compromise critical assets, such as database servers, billing servers, and the active directory. As malicious activity was detected and remediated against, the threat actor stopped the attack.
The second wave of the attack hit several months later with similar infiltration attempts, along with a modified version of the web shell and reconnaissance activities. A game of cat and mouse between the threat actor and the defenders began, as they ceased and resumed their attack 2 more times in the span of a 4 month period.
Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers [Mor Levi, Assaf Dahan, and Amit Serper/Cybereason]
Hackers are stealing years of call records from hacked cell networks [Zack Whittaker/Techcrunch]