Hackers believed to be backed by China’s government have infiltrated the cellular networks of at least 10 global carriers, swiping users’ whereabouts, text-messaging records and call logs, according to a new report, amid growing scrutiny of Beijing’s cyberoffensives.

The multiyear campaign, which is continuing, targeted 20 military officials, dissidents, spies and law enforcement—all believed to be tied to China—and spanned Asia, Europe, Africa and the Middle East, says Cybereason Inc., a Boston-based cybersecurity firm that first identified the attacks. The tracked activity in the report occurred in 2018.

The cyberoffensive casts a spotlight on a Chinese group called APT 10; two of its alleged members were indicted by the U.S. Department of Justice in December for broad-ranging hacks against Western businesses and government agencies. Cybereason said the digital fingerprints left in the telecom hacks pointed to APT 10 or a threat actor sharing its methods.

“We never heard of this kind of mass-scale espionage ability to track any person across different countries,” said Cybereason Chief Executive Lior Div.

Mr. Div gave a weekend, in-person briefing about the hack to more than two dozen other global carriers. For the firms affected, the response has been disbelief and anger, he said.


The Wall Street Journal was unable to independently confirm the report. Cybereason, which is run by former Israeli counterintelligence members, declined to name the individuals or the telecom firms targeted, citing privacy concerns.

China has consistently denied perpetrating cyberattacks, calling itself a victim of hacks by the U.S. and other countries. China’s Foreign Ministry didn’t respond to a faxed request to comment. The Ministry of State Security wasn’t reachable for comment.

The identities of the 20 individuals allegedly targeted by China couldn’t be learned. The country often tracks overseas political dissidents and other persons of interest digitally and in person, according to cybersecurity experts and human-rights activists.

The hacking campaign—which Cybereason calls “Operation Soft Cell”—represents one of the most far-reaching recent offenses against a telecom industry under pressure, Mr. Div said. Around three of every 10 global carriers have had sensitive information stolen from hacking attacks, according to a 2018 report by EfficientIP, a Philadelphia-based cybersecurity firm.


Operation Soft Cell gave hackers access to the carriers’ entire active directory, an exposure of hundreds of millions of users, Cybereason said. The hackers created high-privileged accounts that allowed them to roam through the telecoms’ systems, appearing as if they were employees.

The work of nation-state groups like APT 10 tends to be covert and focus on gathering intelligence—a contrast with organized crime rings that shut down websites or pilfer networks seeking monetizable assets, such as bank accounts or credit-card data.

“Nation-state groups are no doubt the top of the food chain,” said Larry Lunetta, a vice president of security solutions marketing at Aruba, a part of Hewlett Packard Enterprise Co. “The behaviors they exhibit generally would never have been seen before or may not look different to normal activity.”

Cybereason Chief Executive Lior Div. Photo: Kiyoshi Ota/Bloomberg News

The rollout of next-generation 5G networks globally has stoked national-security fears that the new technology could be vulnerable to hacking. Operation Soft Cell largely unfolded on existing 4G LTE networks, though the incident reveals fresh vulnerabilities.


The campaign used APT 10-linked procedures and techniques, including a web shell used to steal credentials and a remote-access tool, said Amit Serper, Cybereason’s head of security research.

Cybereason said it couldn’t be ruled out that a non-Chinese actor mirrored the attacks to appear as if it were APT 10, as part of a misdirection. But the servers, domains and internet-protocol addresses came from China, Hong Kong or Taiwan, Mr. Div said. “All the indications are directed to China,” he said.

The APT 10 group, also known as cloudhopper, is believed by cybersecurity experts to be backed by China’s government based on its history of going after data that is strategic and not immediately monetizable. The group has been less visibly active this year following the Justice Department indictments, though is likely still around, said Ben Read, senior manager of cyber espionage analysis at FireEye Intelligence.

“They’re one of the most active China groups we track,” Mr. Read said.


China-based hackers have consistently targeted U.S. businesses over the years, although the frequency of attacks declined after a 2015 cease-fire on economic espionage signed by President Obama and President Xi Jinping.

Other countries, including Australia, Japan and the United Kingdom, have accused China of attempting to hack their government agencies and local companies.

Cybereason says Operation Soft Cell didn’t involve real-time snooping, meaning hackers weren’t listening in on calls or reading text messages.

Instead, the hackers obtained all-data records that reveal where individuals go and whom they contact —invaluable information for foreign intelligence agencies eager to learn a person’s daily commute or their confidantes.

“They owned the entire network,” Mr. Serper said.

With precise movements, the hackers breached telecom companies’ networks through traditional spear phishing emails and other tactics, Cybreason says.

Once inside, the hackers stole login credentials, identifying computers or accounts with access to the servers containing the call-data records. They cloaked themselves even more by creating admin accounts and covering their digital tracks with virtual private networks, or VPNs, which made the behavior appear as if it had come from legitimate employees.

Cybereason discovered the hacks by sniffing out unusual network traffic between a computer and the call-data record databases. The researchers detected activity dating as far back as 2012.

Some telecom firms have alerted users of the breach, per local regulations, though it is unclear if all of them have, Mr. Div said.

Write to Timothy W. Martin at timothy.martin@wsj.com and Eva Dou at eva.dou@wsj.com