Suspected Chinese State Hackers Attack Global Telecom Carriers: Cybereason

Suspected Chinese hackers have infiltrated into the networks of over a dozen telecommunication providers in Europe, Asia, Africa and the Middle East - gaining control and stealing hundreds of gigabytes of data of individuals, a US-based cyber-security firm has revealed.

Any entity that possesses the power to take over the networks of telecommunications providers can potentially leverage its unlawful access and control of the network to shut down or disrupt an entire cellular network as part of a larger cyber warfare operation, said Boston-based Cyberreason.

The team at Cybereason, as part of their Operation Soft Cell, has concluded "with a high level of certainty that the threat actor is affiliated with China and is likely state-sponsored".

"The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS)," said the firm on Monday.

The hackers have obtained all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users and more.

"Last year, we identified a threat actor that has been operating in telecommunications provider environments for at least two years. We performed a post-incident review of the attacks and were able to identify changes in the attack patterns along with new activity every quarter," said Amit Serper, Cybereason's Head of security research.

"This type of targeted cyber espionage is usually the work of nation state threat actors," he added.

The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network.

The threat actor attempted to compromise critical assets, such as database servers, billing servers, and the active directory. As malicious activity was detected and remediated against, the threat actor stopped the attack.

During the persistent attack, the attackers worked in waves - abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques.

In 2018, 30 percent of the telecommunications providers reported sensitive customer information was stolen due to an attack.

In the past 13 years, mobile cellular phone subscribers have quadrupled in size and sit at eight billion subscribers today.

Due to their wide availability and the fundamental service they bring, telecommunications providers have become critical infrastructure for the majority of world powers.

"Much like telecommunication providers, many other critical infrastructure organizations provide a valuable targets for nation state threat actors, due to their high impact," said the researchers.

The threat actor managed to infiltrate into the deepest segments of the providers' network, including some isolated from the internet, as well as compromise critical assets.

"Our investigation showed that these attacks were targeted, and that the threat actor sought to steal communications data of specific individuals in various countries," said Cybereason.