Written by Sean Lyngaas

Chinese hackers have hit the soft underbelly of global telecommunications companies to siphon off hundreds of gigabytes of data, according to an investigation by security company Cybereason.

The long-running hacking campaign, which has breached about 10 cellular providers in Africa, Europe, the Middle East and Asia, bears all the hallmarks of an intelligence operation, Cybereason researchers said. In one instance, the spies targeted roughly 20 customers of a cellular provider.

“No one siphons out hundreds of gigabytes of data about a very specific amount of individuals unless it’s for intelligence [purposes],” said Amit Serper, principal security researcher at Cybereason, which published research on the campaign Tuesday.“The attackers knew exactly what they were after.”

Cybereason declined to name the breached telecommunications providers, but said they had hundreds of millions of customers in total.

Since at least 2017, the hackers have burrowed their way, computer by computer, deep into the victim organizations until they had access to records that included caller location and identity, phone call length, and the amount of data sent between callers. The attackers eventually set up their own domain administration accounts and installed a virtual private network (VPN) on the victim’s server – crowning themselves the “de facto shadow IT department” for the victim organization, Serper told CyberScoop.

Working backward from one of its customers, which was a victim, Cybereason traced the campaign to some nine other telecom firms. To do that, analysts dumped one of the hacking tools they found on their client’s network and looked for clues buried in the code. Serper said he started to find the same code in other malware samples, and was able to stitch together a pattern by tracing the malware back to similar computer servers.

Cybereason analysts found hacking tools such as a modified web shell and a remote access trojan that are commonly associated with, but not unique to, Chinese hackers. While not ruling out a possible false flag or copycat, the analysts concluded with a “high level of certainty” that the campaign was state-sponsored and affiliated with China.

The Chinese Embassy in Washington did not respond to a request for comment.

In collecting troves of personal caller data, telecommunications providers are natural targets for spies. Documents leaked by former National Security Agency contractor Edward Snowden revealed the agency collected call records from American telecom firms in bulk. The Trump administration is reportedly weighing whether to end a successor to that “metadata” program, but the agency’s mandate for foreign intelligence collection allows it to target foreign telecommunications firms.

The alleged Chinese espionage hasn’t shown any signs of subsiding. Serper said he discovered a new victim last week, and that the most recent exfiltration of data was about eight weeks ago.

“I think I’m a long way from being done,” said Serper, who has been on the case for months.