Johannesburg, 25 Jun 2019
Cybereason, creators of the leading Cyber Defense Solution, today unveiled results from Operation Soft Cell, an investigation into a massive, advanced espionage campaign targeting nearly a dozen global telecommunications providers. Cybereason’s nearly year-long investigation discovered that commercial, privately owned, critical infrastructure companies are tools being used in state-sponsored espionage and cyber war.
“The operation against cellular providers is at a massive scale. This advanced attack used a low-'n-slow attack paradigm which circumvents almost all detection capabilities in the market today,” said Lior Div, Cybereason’s CEO and co-founder. “This isn’t a smash-and-grab campaign to steal money or social security numbers. These hackers have very specific motives and are running a highly targeted, persistent operation to own the networks and track a very targeted list of high-profile individuals on different continents.”
The state-sponsored adversaries stole personally identifiable information such as billing data, call detail records and credentials. The damage to the targeted individuals can go all the way to fully tracking locations, meetings and texts. Hundreds of gigabytes of call data records were stolen each time the hackers exfiltrated data.
“This isn’t one breach, but a series of sophisticated and targeted breaches. What is really troubling is that this is an example of being hacked and not knowing it, because the victims aren’t aware and have no way to trace the attack,” said Mor Levi, Cybereason's vice-president, global security services.
Operation Soft Cell key takeaways:
Operation Soft Cell is a global, nation state-backed operation against multiple cellular providers that has been under way for years. Hackers carrying out the low and slow attack can circumvent existing detection technologies on the market today and be found only with very specific monitoring and correlation capabilities.
With this campaign, attackers completely took over the IT network and were able to customise the IT infrastructure for their convenience, complete with their own VPN inside of the network.
The attackers exfiltrated complete active directory databases, compromising every username and password. In addition, other personally identifiable information such as billing data, call detail records and credentials were stolen.
The tools and TTPs involved in this operation are commonly associated with the Chinese threat actor APT10. However, since some of these tools were disclosed, dumped and even open-sourced in some cases, they are available to the general public.
Critical infrastructure relies on cellular communication. Attackers can do whatever they want passively, or they can choose to shut down entire networks. Foreign powers can use this to interfere with critical infrastructure in another country.
“Essentially, the hackers have access to geolocation information about individuals, knowing their exact movements by day and night. If the individuals travel overseas, the hackers know it. The hackers can use this information to identify a convenient time in operations and campaigns they are carrying out,” said Amit Serper, Cybereason's senior director, head of security research.
Read the research for Operation Soft Cell here
Share