A long-term, large scale attack targeting telecom companies around the world has been discovered. The attack, dubbed Operation Soft Cell by security firm Cybereason, saw hundreds of gigabytes of information exfiltrated. The company claims the attackers had total control of compromised networks and could have easily brought down entire cellular networks if they so wished.

“Cellular service is a critical infrastructure nowadays,” says Amit Serper, principal security researcher at Cybereason and author of the report. “What really worries me is the amount of access they have — the complete access they have to the network. The worst thing they can do is sabotage it and one day just shut down the whole network.”

Cybereason has not named the ten telcos involved, but Serper says they span Europe, Asia, Middle East and Africa. The company says it has not yet found evidence of North American companies being compromised.

The company is attributing the attack to the Chinese-affiliated APT10 threat actor based on the similarity of tools, tactics, and procedures used in previous attacks attributed to the group.

Threat actors gain “complete control” of telecom networks

According to Cybereason, the attackers have exfiltrated over 100GB of information mostly in the form of call detail records (CDRs), likely on behalf on an intelligence agency, potentially over a time period spanning seven years. “It's a sophisticated attack and not a noisy activity,” says Serper. “This is a strategic operation for an intelligence gathering agency.”

CDRs include call and messaging logs, device information and tower location data that could provide a physical location for a phone and its owner. This metadata, while not providing information on the content of calls and messages being sent, can provide a detailed picture of a person’s movements and personal network, suggesting the work was done for intelligence rather than financial reasons. “These records have basically all the raw information and raw metadata that your phone is sending and receiving to and from the cellular network itself.

The attackers reportedly gained access via a vulnerable public-facing server, before conducting reconnaissance and propagating across the network. By compromising credentials, they were able to create high-privileged domain user accounts. “They have their own domain admin accounts, they have already exfiltrated the entire Active Directory database, so they have access to every single record in the Active Directory.”

Though it seems the threat actors’ goals was intelligence gathering, the group had complete control of the network and could have shut down services if they so desired. “They have complete control on the network. Today they're siphoning out CDR, but tomorrow they can shut down the network if they want.”

Intelligence gathering could be ongoing

The group targeted at least 20 individuals specifically for their respective CDR information, suggesting this was a highly targeted attack on behalf on an agency, rather than anything opportunistic. “They weren't after payment data, they didn't steal any credit cards,” says Serper. “They stole CDR, which is something that is very, very, very specific, and, from my previous life working for an intelligence agency, associated with intelligence gathering and is very useful for intelligence agencies.”

Cybereason has been investigating this operation for nine months and has notified both its customers and any other companies that it identified as being potentially compromised. As investigations are still ongoing, the company couldn’t say if the attacks have been remediated on affected networks.

Indicators of compromise have not been released as Serper says the targeted nature of these attacks will reveal the victims but says Cybereason did recently meet with leaders of the 25 biggest telcos globally to provide them details of the attack.

“Companies should audit who has access to their databases that hold the CDR and monitor them very closely,” advises Serper. “Make sure that all of the external facing servers are fully patched and there's no vulnerable code on them.”

Who is APT10?

While attribution is difficult in such circumstances and the attack could have been conducted by another group using copycat tactics, Cybereason says it can claim “with very high probability” that this attack was a nation-state or nation-state-backed threat actor, with the company confident that it was likely APT10.

“The tools and the behavior and the procedures, the tactics, everything points to China and actually points to a specific group. We think that it is APT10, but it could also be APT3,” says Serper.

APT10, also known as Menupass Team, has been active since at least 2009, and is thought to be working on behalf of China. The group has previously targeted construction and engineering, aerospace and telecom firms, as well as governments in the US, Europe, and Japan.

In 2016 they were named as being behind a campaign targeting managed service providers (MSPs) dubbed Operation Cloud Hopper by PwC. Associated malware includes Haymaker, Snugride, Bugjuice and Quasarrat. In December 2018, two Chinese individuals accused of being part of APT10 and working with China’s Ministry of State Security were indicted by the US Department of Justice.

For this attack, the group used customized versions of known tools, many of which are regularly used in attacks attributed to Chinse-linked threat actors. These include a customized version of the Poison Ivy Remote Access Tool (RAT), the China Chopper web shell, a modified nbtscan tool, and a “very highly modified and customized” version of credential stealing tool Mimikatz.

Serper says as well as ensuring the tools worked in the environments they were targeting, many of the modifications were to avoid detection by security products. The group moved slowly, sometimes waiting months between actions. “This is what we call a low and slow attack. Sometimes they need to customize the tools in order for their tools to work properly inside the network, sometimes they may think that they were detected so they changed a few things so they won't be detected.”

Cybereason believe the attackers could have been on compromised networks for as long as seven years. “In some of the breaches, we found older versions of malware that correspond with breaches that date as far back as seven years ago to 2012.”

While that might not be a clear indicator of the timing of the attack, the threat actors were present long enough to feel it was worth installing their own VPN system to have easier access to the networks.

“It's very brazen. If they've been in the network for seven years, and their access still exists, maybe they think that they're untouchable and they get a little bit cocky. Who wouldn't after seven years?”

Telecoms need to up their cybersecurity game

While much of the recent focus on 5G and telecom security has been on Huawei, this attack shows telecom companies are still playing catch up around security ahead of the next generation of cellular connectivity. According to EfficientIP’s 2018 Global DNS Threat report, a third of telecom companies had lost sensitive customer information in the last 12 months.

At a recent event, NCSC CEO Ciaran Martin claimed, “There is a structural and sustained problem in the way telecommunications markets have worked in the past which has not incentivized sufficiently good cyber security. We need to use this opportunity to change fundamentally the way we do telecommunications security to bake in cyber security and resilience into our infrastructure. So, there’s much more to 5G security than Huawei.”

When asked if poor security contributed to the success of Operation Soft Cell, Serper defended the telcos. “If a nation-state is interested in getting in somewhere, they will get in. It's just a matter of time and the amount of effort and resources that they want to put in. Eventually, it will happen and they will gain access. I don't think that it necessarily says anything about the security posture of the attacked organization.”