Operation Soft Cell said to impact millions

Millions of consumers have had their phone records and identities compromised as part of an advanced nation-state hacking campaign that has been targeting global telecommunications providers for years.

The breach, which is said to have been perpetrated against multiple reputable telcos, has been revealed by researchers at threat detection firm Cybereason, who began documenting the single threat actor in 2018.

Cybereason has identified 10 telcos that have so far been impacted by what appears to be a two-year intrusion.
The affected companies – which could not be named due to legal reasons – are responsible for the personal information of “hundreds of millions of customers”, according to Mori Levi, vice president of global security practice at Cybereason.

“Cellular communications are critical infrastructure and the highly sensitive nature of the information hackers have stolen is troubling,” Levi told The Daily Swig, adding how this incident was less about cybersecurity failings of any major network provider.

“Keep in mind that this is a nation-state threat actor and they are very determined to achieve their goals,” she said.

The persistent attack, dubbed Operation Soft Cell, took place in several waves, where the threat actor gained access to the telcos’ active directories.

This allowed the exfiltration of usernames, passwords, and personally identifiable information, including billing data, call records, email servers, and geolocation of its customers.

It is likely that the threat actor was collecting information on “foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement”, a blog post by Cybereason reads.

APT10, a cyber espionage group backed by the Chinese government, is thought to be behind the attacks, due to techniques deployed in the campaign such as PoisonIvy, a remote administration tool (RAT) known to be popular with Chinese threat actors, Cybereason said.

“There are multiple indicators that suggest that this is a Chinese threat actor, not just the RAT, but additional tools, which are attributed to a specific group called APT10,” Levi explained.

“A disclaimer to this is that that those tools were leaked a few years ago, and anyone with a little bit of effort can ‘get their hands on those tools’ and make it look like APT10 is behind that.”

The tactics, techniques, and procedures (TTPs) administered by the threat actor also included a modified China Chopper webshell execution.

This was used to run commands and steal credentials via a vulnerable server before a PoisonIvy backdoor and other malicious tools were leveraged.

Cybereason continues to monitor the threat actor, thought to have been active since 2017, and recommends telcos take the necessary precautions in the digital security of their infrastructure.

According to Levi, this includes the strict monitoring of any internet-facing asset (especially web servers), strict monitoring of high privileged users and machines that has access to the CDR network.

She added: “Just last week we discovered another company has been breached.”