Cybereason details operation soft cell: A telco security disaster

Security firm reveals an ongoing global attack against telecommunications providers that has been active since at least 2017 and involves a group believed to be working on behalf of the Chinese government.

Phil Harvey, Editor-in-Chief

June 25, 2019

3 Min Read
Cybereason details operation soft cell: A telco security disaster

A persistent, multiyear attack by a group affiliated with the Chinese government has led to stolen customer data from at least ten telecom service providers around the world, according to media reports and information from the security vendor Cybereason.

Cybereason's CEO Lior Div detailed his firm's discovery of the attacks and its findings at the Cyber Week conference in Tel Aviv. He wouldn't provide any details about which telcos were compromised. "I'm not even going to share the continent," he said, as quoted in The New York Times.

In The Times account of his remarks, Div said his firm was called in to help a cellular service provider and discovered that hackers had broken into its billing server. The hackers used tools and methods that are consistent with several Chinese threat actors. In this case, Cybereason believes it is a group called APT10, which is believed to be a Chinese government operative.

The Chinese hackers appeared to be targeting personal details of about 20 military officials, dissidents, spies and people in law enforcement, The Wall Street Journal reported.

An analysis of the ongoing attacks, the attackers and their methods are detailed in a blog post by Cybereason, the firm that discovered the attacks and alerted the telcos. A video interview from two members of the Cybereason Nocturnus team, the company's group of cybersecurity experts, is on YouTube:

"Once we stopped looking at things as individual executions on separate machines and we said, 'Oh, this thing started here, and then moved here, and then finished here,' we were able to understand that this is something with very big proportions," Amit Serper, principal security researcher at Cybereason told Lodrina Cherne, a Cybereason security analyst, on the video.

The hackers were "attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more," the Cybereason team wrote.

Why this matters
In this case, the methods used and persistence displayed are remarkable. So, too, is the potential damage this group could unleash if telecom service providers don't step up their security efforts.

"The threat actor managed to infiltrate into the deepest segments of the providers' network, including some isolated from the internet, as well as compromise critical assets," the Cybereason team wrote.

To get to a few individuals, this nation-state sponsored group of hackers was apparently able to compromise an entire telecom network. If a group can do that, it can potentially "leverage its unlawful access and control of the network to shut down or disrupt an entire cellular network as part of a larger cyber warfare operation," Cybereason wrote.

"[The companies that] collect people's data can never know which type of data will be considered as an intelligence asset," said Mor Levi, VP of security practices at Cybereason, in the YouTube video. "In telcos, specifically, it is probably well known [that] in the past few years the data that they have is an intelligence asset. But, generally speaking, data is power … it's super important to secure that data -- that's the big thing here."

Related posts:

Phil Harvey, US Bureau Chief, Light Reading

Read more about:


About the Author(s)

Phil Harvey

Editor-in-Chief, Light Reading

Phil Harvey has been a Light Reading writer and editor for more than 18 years combined. He began his second tour as the site's chief editor in April 2020.

His interest in speed and scale means he often covers optical networking and the foundational technologies powering the modern Internet.

Harvey covered networking, Internet infrastructure and dot-com mania in the late 90s for Silicon Valley magazines like UPSIDE and Red Herring before joining Light Reading (for the first time) in late 2000.

After moving to the Republic of Texas, Harvey spent eight years as a contributing tech writer for D CEO magazine, producing columns about tech advances in everything from supercomputing to cellphone recycling.

Harvey is an avid photographer and camera collector – if you accept that compulsive shopping and "collecting" are the same.

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like