Hackers have infiltrated more than a dozen global mobile carriers

26 Jun 2019

Image: © nirutft/Stock.adobe.com

Cybereason has released a report into a large hacking operation that has seen more than a dozen mobile carriers in Europe, the Middle East, Africa and Asia infiltrated.

Cybersecurity company Cybereason has discovered a vast hacking operation in which threat actors infiltrated more than a dozen mobile carriers around the globe for years. Dubbed Operation Soft Cell, the attack has been active since 2012, though some evidence indicates that activity began even earlier than that.

The cybercriminals were attempting to steal all data stored in the active directory such as usernames and passwords. The attack also targeted other sensitive personal information such as billing data, call detail records, credentials, geolocation of users and more. The operation affected phone providers in Europe, Africa, Asia and the Middle East, and siphoned off hundreds of gigabytes of data.

“They have all the usernames and passwords and created a bunch of domain privileges for themselves with more than one user,” said Amit Serper, Cybereason’s head of security research, speaking to CNetThey can do whatever they want. Since they have such access, they could shut down the network tomorrow if they wanted to.”

Cybereason’s research concluded that though they had the potential to take down networks, attackers were more focused on espionage than disruption.

Possible Chinese link

The report added that the threat actor could be affiliated with China and that the attack was “likely state-sponsored”.

“The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security,” the report said.

The attackers leveraged a web shell that ran on a publicly facing server to gather information about the networks in its crosshairs. An investigation of the web shell, Cybereason goes on to say, later classified it as a customised version of the ‘China Chopper web shell’, a malware that has been employed by multiple hacker groups over the past few years and is frequently associated with Chinese hackers.

The researchers were quick to point out, however, the possibility that someone is merely trying to frame APT10, as the malware and servers used have been leaked and are therefore publicly available, making it possible to masquerade as the group.

The Chinese embassy in Ireland could not be reached for comment at time of publication, though China has previously denied the accusations in public statements on the matter.

Going forward

Cybereason said it has reached out to all affected mobile carriers, though it is unclear what fixes have been implemented at this time.

Researcher Mor Levi has advised that all mobile carriers strictly monitor internet-facing properties, particularly services, and look for accounts that have high-privilege access.

In 2018, as many as 30pc of telecoms companies reported that sensitive customer information had been stolen due to an attack, Cybereason claims. The investigation into this attack is ongoing.

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com