Cybereason details operation soft cell: A telco security disaster

A persistent, multiyear attack by a group affiliated with the Chinese government has led to stolen customer data from at least ten telecom service providers around the world, according to media reports and information from the security vendor Cybereason.

Cybereason's CEO Lior Div detailed his firm's discovery of the attacks and its findings at the Cyber Week conference in Tel Aviv. He wouldn't provide any details about which telcos were compromised. "I'm not even going to share the continent," he said, as quoted in The New York Times.

In The Times account of his remarks, Div said his firm was called in to help a cellular service provider and discovered that hackers had broken into its billing server. The hackers used tools and methods that are consistent with several Chinese threat actors. In this case, Cybereason believes it is a group called APT10, which is believed to be a Chinese government operative.

The Chinese hackers appeared to be targeting personal details of about 20 military officials, dissidents, spies and people in law enforcement, The Wall Street Journal reported.

An analysis of the ongoing attacks, the attackers and their methods are detailed in a blog post by Cybereason, the firm that discovered the attacks and alerted the telcos. A video interview from two members of the Cybereason Nocturnus team, the company's group of cybersecurity experts, is on YouTube:

"Once we stopped looking at things as individual executions on separate machines and we said, 'Oh, this thing started here, and then moved here, and then finished here,' we were able to understand that this is something with very big proportions," Amit Serper, principal security researcher at Cybereason told Lodrina Cherne, a Cybereason security analyst, on the video.

The hackers were "attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more," the Cybereason team wrote.

Why this matters
In this case, the methods used and persistence displayed are remarkable. So, too, is the potential damage this group could unleash if telecom service providers don't step up their security efforts.

"The threat actor managed to infiltrate into the deepest segments of the providers' network, including some isolated from the internet, as well as compromise critical assets," the Cybereason team wrote.

To get to a few individuals, this nation-state sponsored group of hackers was apparently able to compromise an entire telecom network. If a group can do that, it can potentially "leverage its unlawful access and control of the network to shut down or disrupt an entire cellular network as part of a larger cyber warfare operation," Cybereason wrote.

"[The companies that] collect people's data can never know which type of data will be considered as an intelligence asset," said Mor Levi, VP of security practices at Cybereason, in the YouTube video. "In telcos, specifically, it is probably well known [that] in the past few years the data that they have is an intelligence asset. But, generally speaking, data is power … it's super important to secure that data -- that's the big thing here."

Related posts:

Phil Harvey, US Bureau Chief, Light Reading

Phil Harvey 6/26/2019 | 4:08:04 PM
Re: What kind of 'ten' are we talking here? Yes, that's what was said in media briefings, but you asked a good question re affiliates that we can't really get more info on (yet).

The WSJ reporting said ten service providers. The NY Times quoted Cybereason's CEO as saying that the compromise of its customer eventually led it to about 10 other firms that had been hit in a similar way, with hackers stealing data in 100-gigabyte chunks.

The only kind of company discussed by Cybereason in its materials, video and security report was telecom service providers, but the company won't comment on affiliate relationships because that'd make it easier to narrow down which firm was compromised initially.

HardenStance 6/26/2019 | 9:49:54 AM
What kind of 'ten' are we talking here? First, kudos to Cybereason for this great work.

That said, I'm a little wary of the "ten" number that's being used about the number of service providers targeted.

I've read Cybereason's superbly detailed report on Softcell a couple of times now. No mention of "ten" service providers anywhere. At least not that I can see.

Presumably that number has been shared by Cybereason  in media briefings?

This is telco-land, here, so there are different kinds of 'ten'.

Is this ten unique telcos or is it actually just one telco group with ten affiliates?

Big difference.

Maybe LR could put in a call?
James_B_Crawshaw 6/26/2019 | 4:17:37 AM
Operation Soft Cell Say hello, wave goodbye
Sign In