Chinese hackers targeted global telecommunications providers for years
4 July 2019
Security researchers have revealed that Chinese threat actors were possibly behind a large-scale cyber attack targeting global telecommunications providers in order to gain access to detailed call logs and geolocations of certain users from various countries.
In an investigation dubbed Operation Soft Cell that lasted several months, security researchers at Cybereason recently detected a massive cyber attack that targeted global telecommunication providers in order to gain access to CDRs (Call Data Records) and geolocations of certain users from various countries.
The cyber operation was possibly launched as far back as 2012 and involved hackers utilizing a number of advanced tools and techniques to gain access to networks owned by telecommunications providers, steal privileged credentials, create new credentials of their own with privileged access, and then use these credentials to obtained specific data related to consumers.
Hackers infiltrated networks of telecommunications providers by using web shells
As detailed by Cybereason, a hacking operation targeting a telecommunications provider started at least two years ago with hackers using a malicious web shell (that was a modified version of the China Chopper web shell) to run reconnaissance commands on a vulnerable, publicly-facing server to obtain information about the compromised machine, network architecture, users, and active directory enumeration.
Once the reconnaisance was completed, the hackers used several credential-stealing tools to obtain credentials stored in the compromised machines. The most common tool used by them was a modified mimikatz that does not require any command line arguments and hence, prevents organisations from identifying threat actors through command-line auditing.
After stealing credentials from compromised machines, the hackers then proceeded to move laterally within networks and compromised critical assets including production servers and database servers, and also gained full control over the Domain Controller.
The hackers also created rogue, high-privileged domain user accounts not only to gain a foothold and maintain a permanent presence in telecommunication providers’ networks but also to take a series of malicious actions.
They also used the PoisonIvy RAT that offers various features such as credential stealing, taking screenshots, editing registries, keylogging, various surveillance features, and a file manager with upload and download support.
Additionally, the hackers deployed two other custom-built web shells to launch reconnaissance commands and steal data and also used tools such as cmd.exe, winrar, and the notorious hTran to infiltrate networks and exfiltrate user data.
The hackers also operated in such a way that once they are detected by an organisation, they cease operations and return after a few months using new attack techniques as well as hacking and data exfiltration tools. The creation of rogue accounts with privileged access also ensures that they do not have to steal credentials every time they attack a network.
China-backed APT10 possibly behind the cyber attacks
According to researchers at Cybereason, while individual hackers usually target organisations that have a large customer base and hold vast amounts of credit card data, bank account information, and more personal data, nation-state hackers usually target systems that contain intellectual property or sensitive information about their clients.
“The data exfiltrated by this threat actor, in conjunction with the TTPs and tools used, allowed us to determine with a very high probability that the threat actor behind these malicious operations is backed by a nation state, and is affiliated with China.
“The threat actor mainly sought to obtain CDR data (call logs, cell tower locations, etc.) belonging to specific individuals from various countries. This type of targeted cyber espionage is usually the work of nation-state threat actors.
“We’ve concluded with a high level of certainty that the threat actor is affiliated with China and is likely state-sponsored. The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, such as APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS),” the researchers said.