China's Hackers Accused Of 'Mass-Scale Espionage' Attack On Global Cellular Networks
An Israeli-U.S. cybersecurity firm released a new report on Monday evening, claiming that “nation-state” hackers had compromised the systems of at least ten cellular carriers around the world to steal metadata related to specific users. Albeit unconfirmed, both the targeted individuals and the hackers are believed to link to China.
None of the affected carriers or targeted individuals have been named.
Cybereason claimed that the sophistication and scale of the attack, which they have dubbed Operation Softcell, bear the hallmarks of a nation-state action and that the individual targets—military officials and dissidents—tie to China. All of which points to the Chinese government as the likely culprit. The affected carriers. were in Europe, Africa, the Middle East and Asia. None were thought to be in the United States.
“The advanced, persistent attack targeting telecommunications providers,” the company said, “has been active since at least 2017… The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”
The attack was described in the report as a “game of cat and mouse between the threat actor and the defenders.” As soon as the compromise [of] critical assets, such as database servers, billing servers, and the active directory” was detected, “the threat actor stopped the attack” only to resume later.
The implications of a nation-state “infiltrating into the deepest segments of providers’ network, including some isolated from the internet,” enabling hackers to “compromise critical assets and steal communications data of specific individuals in various countries” are extremely significant. It suggests almost open access for intelligence harvesting.
Cybereason also pointed out that “even though the attacks targeted specific individuals, any entity that possesses the power to take over the networks of telecommunications providers can potentially leverage its unlawful access and control of the network to shut down or disrupt an entire cellular network as part of a larger cyber warfare operation.”
According to the Wall Street Journal, “Cybereason Chief Executive Lior Div gave a weekend, in-person briefing about the hack to more than two dozen other global carriers. For the firms already affected, the response has been disbelief and anger, Mr. Div said. ‘We never heard of this kind of mass-scale espionage ability to track any person across different countries’.”
The nature of the data reportedly harvested in the attack is of real value to intelligence agencies, which analyze the metadata for patterns. Even if the call or messaging content is not retrieved, analysis of who talks to who and when and how often and for how long and from where is a rich seam to be mined. In essence, every piece of metadata collected by the networks from registered smartphones was potentially vulnerable. And once the network’s core security was compromised, the threat became almost internal in nature.
In the U.S. and U.K., when national intelligence agencies “hoover up” such data or campaign for additional collection legislation to enable them to do so, there is inevitably a privacy backlash. And this collection campaign has gone beyond anything a national agency would campaign for. The WSJ reported that “Operation Soft Cell gave hackers access to the carriers’ entire active directory, an exposure of hundreds of millions of users… [with] the hackers creating high-privileged accounts that allowed them to roam through the telecoms’ systems, appearing as if they were legitimate employees.”
Cybereason pointed towards China’s APT10—Advanced Persistent Threat 10—as the likely hackers behind this attack. The group is known for long-term, persistent threat campaigns, harvesting information as might an actual agency. And this campaign is thought to have been running for as long as seven years. Coincidentally, NASA, one of the previous targets of APT10, confirmed in recent days that it had also been hacked, a compromise which again bears nation-state hallmarks.
“Cybereason said it couldn’t be ruled out that a non-Chinese actor mirrored the attacks to appear as if it were APT 10,” reported the WSJ, “as part of a misdirection. But the servers, domains and internet-protocol addresses came from China, Hong Kong or Taiwan… All the indications are directed to China.”
FireEye and Crowdstrike, the cybersecurity firms that have painted the most complete profile of APT10, told Wired that “they couldn’t confirm Cybereason’s findings, but that they have seen broad targeting of cellular providers including by Russian and Iranian state-sponsored hackers, both for tracking individuals and for bypassing two-factor authentication, intercepting the SMS messages sent to phones as a one-time passcode.”
Two hackers allegedly linked to APT10 were indicted on federal charges in the U.S. last year.
The fact that a Chinese state hacking outfit might have targeted cellphone metadata will clearly be tied to the ongoing U.S. campaign against Chinese telecoms equipment manufacturers in general, and Huawei in particular. The argument will now run that this is exactly the kind of vulnerability that becomes theoretically exposed if the Chinese government can use its influence over domestic companies to pull intelligence from overseas.
“We’ve concluded with a high level of certainty,” Cybereason claimed on issuing its report, “that the threat actor is affiliated with China and is likely state-sponsored. The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security.”