Operation Soft Cell campaign targets cellular telecom providers, points to China’s APT10

A threat actor using tools and techniques associated with APT10, the Chinese hacking group, and aimed at global cellular telecommunications providers completely took over at least one provider’s network in its efforts to obtain data on very specific, high-value targets, according to a report from the Cybereason Nocturnus team.

Operation Soft Cell, active since at least 2017, launched multiwave attacks on targets and after taking over the IT network, tailored the infrastructure to suit its needs, even “brazenly” inserting its own VPN within the network, Amit Serper, head of security research for Cybereason Nocturnus, told SC Media.

As a result of the initiative, the hackers tapped the active directory for all the data stored there and compromised all of the telecommunication provider’s username and password information as well as PII such as credential, billing data, call detail records, email servers and user geolocation users.

“They were siphoning obscene amounts of data out of there,” said Serper, noting that attackers concentrated on call data records (CDR), which can be used to determine not only who compromised accounts are talking to but geolocation information as well.

Cybereason researchers discovered the advance persistent attack when working with a new customer, a cellular provider. “We started seeing weird things in their environment,” said Serper of what eventually turned out to be a sprawling campaign affecting more than a dozen telecom providers.

The Nocturnus team spotted a malicious web shell on an IIS server, and coming out of the w3wp.exe process, which was later identified as a modified China Chopper web shell that he said “provided the gateway into the company’s environment.”

The threat actor then dumped specific hives, such as the SAM hive that houses password hashes, from the Window Registry. After mapping the network and obtaining credentials, the hackers moved laterally through the network, compromising such critical assets as database and production servers. They took control of the Domain Controller and used WMI and PsExec to install their tools across the network.

“They now owned the network” and began targeting 27 individuals, said Serper.

Lavi Lazarovitz, cyber research group manager at CyberArk, said the attack uncovered by Cybereason closely resembles others, such “Operation Socialist, in that it leveraged privileged accounts and probably shadow admins to allow persistency and control.”

Once its presence was detected, rather than shuttering the attack, the threat actor ramped up its efforts with new tools and techniques. Cybereason alerted other providers and has since found evidence of the threat actor’s malicious activity in their networks.

Operation Soft Cell has all the hallmarks of a sophisticated hack from a nation-state and the use of tools like China Chopper and PoisonIvy point to APT10. “There’s an asterisk, though,” said Serper. “All the tools are associated with APT10 but since they are all available online someone else can get them, modify them and pretend to be APT10.”

Cybereason reported its findings to the telecom providers and presented the information today at the Cyber Week conference in Tel Aviv. Ultimately remediation falls to the companies affected as does building a defense against attackers - the latter presents challenges, though.

“It’s incredibly difficult for a commercial organization to mount an adequate defense against a well-funded nation-state attacker,” which has greater resources, said Tim Erlin, vice president of product management and strategy at Tripwire, who explained that while intelligence gathering may be the target now, “it’s not a far cry to imagine attacks meant to destabilize critical infrastructure” in the future. “A national cyber-defense policy needs to include commercial organizations that are also targets of nation-state attacks.”  

Calling telcos “an attractive low-hanging fruit for cybercriminal” for the volume of valuable data they accrue from customers, Ilia Kolochenko, founder and CEO of ImmuniWeb, said “the report and its findings are unfortunately not surprising,” and predicted “a thorough investigation will likely detect a sophisticated and undetected intrusion into any virtually any large telco in the world.” Telco clients have little recourse but to “presume that all communication channels are insecure and encrypt all their traffic,” Kolochenko said. “This will however not save from such things as unwarranted tracking by a breached telco.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.