Hackers infiltrated the networks of at least ten cellular telcos around the world, and remained hidden for years, as part of a long-running tightly targeted surveillance operation, The Register has learned. This espionage campaign is still ongoing, it is claimed.
Cyber-spy hunters at US security firm Cybereason told El Reg on Monday the miscreants responsible for the intrusions were, judging from their malware and skills, either part of the infamous Beijing-backed hacking crew dubbed APT10 – or someone operating just like them, perhaps deliberately so.
Whoever it was, the snoops apparently spent the past two or more years inside ten-plus cellphone networks dotted around the planet. In some cases, we're told, the hackers were able to deploy their own VPN services on the telcos' infrastructure to gain quick, persistent, and direct access to the carriers rather than hop through compromised internal servers and workstations. These VPN services were not detected by the telcos' IT staff.
"It is straight up brazen," Cybereason principal security researcher Amit Serper told El Reg hours earlier. "They figured out there was a lot of lag in using hacked machines, and said: let's install a VPN and get it over with. I don't know if there is even [networking monitoring] coverage of those connections going in and out."
Hundreds of gigabytes of personal information
The undetected VPN deployments underscore just how deeply the hacker crew was able to drill into the unnamed telcos and compromise pretty much everything needed to get the job done. The gang sought access to hundreds of gigabytes of phone records, text messages, device and customer metadata, and location data on hundreds of millions of subscribers.
This was all done, we're told, to spy on and gather the whereabouts of some 20 to 30 high-value targets – think politicians, diplomats, and foreign agents. The hackers and their masters would thus be able to figure out who their targets have talked to, where they work and stay, and so on.
Having picked up signs of intrusions earlier this year, Cybereason's team has been investigating ever since, dubbing the cyber-attacks Operation Soft Cell. They said they found the hackers had been extremely patient in their approach, stealthily operating their spy campaigns by only acting precisely and periodically. Useful internal data would be compressed and encrypted using a passphrase prior to exfiltration via, if necessary, multiple bounce boxes.
Typically, Serper said, the snoops would slip through a phone network's defenses by exploiting a known vulnerability in one of the corporation's public-facing servers, such as a web server running Microsoft IIS. From there, the crew would install a webshell – such as China Chopper, favored by the Middle Kingdom's hackers – to execute arbitrary commands. From this foothold, the intruders would then very slowly tip-toe into other parts of the network, moving from system to system harvesting staff credentials, and using each freshly compromised machine to get into another in the telco's Active Directory.
A modified version of Mimikatz was used to extract login details out of hijacked Windows boxes, and a NetBIOS scanner was used to find computers to attack on the local network. Backdoors, such as the PoisonIvy remote-access tool, would be installed on systems to remotely control them and steal information.
China's tech giants are a security threat to the UK, says Brit spy bigwigREAD MORE
To cover their tracks, the hackers would have long periods of inactivity.
"They come in, they do something, and they disappear for one to three months," said Serper. "Then they come in again, disappear, and so forth."
Such lulls in activity are not unprecedented, particularly when it comes to hacking groups from China. Espionage campaigns by the Middle Kingdom's APT groups will sometimes be put on ice for years in between flurries of activity.
The thought of hackers sitting on a network undetected for years at a time with their own private tunnel into the most sensitive silos of company data should be enough to send any infosec pro through the roof, though Cybereason cautioned against being too hard on the compromised telcos – said to be based across the world, from Europe and Africa to Asia and the Middle East, though outside North America. More operators pwned by this particular gang may be discovered, bear in mind. Cybereason said it has alerted those that it knows have been broken into.
Even if the telcos had spotted the intrusions, keeping out a determined and methodical hacking operation with the resources of the Chinese government, or similar, would be a tall order for many cellular operators.
"They [the intruders] have very talented people, and a lot of people, and time to do whatever they need to do," Cybereason's security practices veep Mor Levi told us. "That is versus a company that even, if their security team had 50 people, it is not something you can prepare against: it is David and Goliath." ®