A persistent, multiyear attack by a group affiliated with the Chinese government has led to stolen customer data from at least ten telecom service providers around the world, according to media reports and information from the security vendor Cybereason.
Cybereason's CEO Lior Div detailed his firm's discovery of the attacks and its findings at the Cyber Week conference in Tel Aviv. He wouldn't provide any details about which telcos were compromised. "I'm not even going to share the continent," he said, as quoted in The New York Times.
In The Times account of his remarks, Div said his firm was called in to help a cellular service provider and discovered that hackers had broken into its billing server. The hackers used tools and methods that are consistent with several Chinese threat actors. In this case, Cybereason believes it is a group called APT10, which is believed to be a Chinese government operative.
The Chinese hackers appeared to be targeting personal details of about 20 military officials, dissidents, spies and people in law enforcement, The Wall Street Journal reported.
An analysis of the ongoing attacks, the attackers and their methods are detailed in a blog post by Cybereason, the firm that discovered the attacks and alerted the telcos. A video interview from two members of the Cybereason Nocturnus team, the company's group of cybersecurity experts, is on YouTube:
"Once we stopped looking at things as individual executions on separate machines and we said, 'Oh, this thing started here, and then moved here, and then finished here,' we were able to understand that this is something with very big proportions," Amit Serper, principal security researcher at Cybereason told Lodrina Cherne, a Cybereason security analyst, on the video.
The hackers were "attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more," the Cybereason team wrote.
Why this matters
In this case, the methods used and persistence displayed are remarkable. So, too, is the potential damage this group could unleash if telecom service providers don't step up their security efforts.
"The threat actor managed to infiltrate into the deepest segments of the providers' network, including some isolated from the internet, as well as compromise critical assets," the Cybereason team wrote.
To get to a few individuals, this nation-state sponsored group of hackers was apparently able to compromise an entire telecom network. If a group can do that, it can potentially "leverage its unlawful access and control of the network to shut down or disrupt an entire cellular network as part of a larger cyber warfare operation," Cybereason wrote.
"[The companies that] collect people's data can never know which type of data will be considered as an intelligence asset," said Mor Levi, VP of security practices at Cybereason, in the YouTube video. "In telcos, specifically, it is probably well known [that] in the past few years the data that they have is an intelligence asset. But, generally speaking, data is power … it's super important to secure that data -- that's the big thing here."
- Telcos: Security Is Not In Your DNA
- Huawei: We're Not a Threat to Our Customers
- Securing 5G Networks: Making Sense of Security Service Requirements