Researchers at Cybereason uncovered an ongoing long-running espionage campaign, tracked as Operation Soft Cell, that targets telco providers. Tactics, techniques, and procedures, and the type of targets suggest the involvement of a nation-state actor likely linked to Chinese APT10.
Once compromised the networks of telecommunication companies, attackers can access to mobile phone users’ call data records.
“Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers. The attack was aiming to obtain CDR records of a large telecommunications provider.” reads the report published by Cybereason.
“The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”
According to Amit Serper, head of security research at Cybereason, attackers
Experts explained that
Attack scenario sees hackers planting a malicious web shell on an IIS server, identified as a modified version of the China Chopper web shell, that was used to run reconnaissance commands, steal credentials, and deploy other hacking tools.
Hackers also used a modified version of Nbtscan to determine the availability of NetBIOS name servers locally or over the network. The attackers also used multiple Windows built-in tools (i.e. whoami, net.exe, ipconfig, netstat, portqry) and WMI and PowerShel commands.
The threat actors also used Poison Ivy RAT to maintain long-term access across the compromised network, and a modified version of Mimikatz to dump credentials. WMI and PsExec were used by the hackers for lateral movement, while Winrar was used to compress and password-protect stolen data, and a modified version of hTran was used to exfiltrate the data.
Experts believe that hundreds of millions of mobile phone users around the world have been affected, including foreign intelligence agents, politicians, opposition candidates for espionage.
“Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider. Telecommunications has become
“This attack has widespread implications, not just for individuals, but also for organizations and countries alike.”