show image

State-sponsored hackers have compromised several major telcos

Chinese spies may be behind a sophisticated intelligence gathering campaign which has targeted at least 10 major telecom providers and put the privacy of hundreds of millions of their customers at risk.

Over the last two years, hackers have exploited weaknesses in the companies’ IT networks to obtain sensitive data about high-profile individuals, according to Cybereason, the US security vendor that uncovered the campaign.

Its researchers believe foreign intelligence agents, politicians, law enforcement officials, opposition candidates in elections and senior business executives are among those to have been targeted.

In some cases the attackers have been able to assume unfettered control over the providers’ IT systems, installing their own virtual private networks so they can exfiltrate data through encrypted “tunnels”. This allows them to covertly access the call detail records of each affected network’s entire customer base.

Amit Serper, one of the researchers investigating the campaign, told NS Tech that the techniques and tactics used by the attackers “scream APT10”, a threat group believed to work on behalf of the Chinese government. But given the attack looks “textbook APT10”, he said he could not rule out that other attackers were masquerading as the threat group.

Cybereason has been monitoring the campaign, which it calls “Operation Soft Cell”, for around nine months. So far it has found evidence that at least 10 companies in Europe, Asia and Africa have been compromised. The metadata harvested by the attackers includes the physical location of the device, the source, destination and duration of calls, and the type of handset used.

In a blogpost published on Tuesday (25 June), the researchers write: “For a foreign nation state actor, obtaining access to this data gives the threat actor intimate knowledge of the individuals they are targeting, including:  Who are they talking to? Which devices are they using? Where are they going?”

“Having this information becomes particularly essential when the attackers are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement.”

The nature of the information harvested is not the only cause for concern. “Attackers with total access to a telecommunications provider,” the researchers add, “can attack however they want passively, but also actively work to shut the network down.”

How does the attack work?

The attacks are carried out using Poison Ivy, a remote access trojan attributed to Chinese threat groups. A retrospective analysis revealed the threat group was altering the nature of their attacks every three months.

“The initial indicator of the attack was malicious webshell activity performed by w3wp.exe, an IIS process,” the researchers write. “An investigation of the webshell, later classified as the “China Chopper” 12 webshell, uncovered several attack phases and TTPs. The attackers were able to leverage the webshell to run reconnaissance commands and steal credentials.”

Cybereason believes that a number of mergers and acquisitions in the telecoms sector has created weaknesses in companies’ security posture.

“This campaign has widespread implications, not just for individuals, but also for businesses and countries alike,” the researchers note. “The use of specific tools and the choice to hide ongoing operations for years points to a potential nation state actor, most likely China. This is another form of cyberwarfare being used to establish a foothold and leak information undercover until they are ready to strike.”