What the cell...? Telcos around the world were so severely pwned, they didn't notice the hackers setting up VPN points

Revealed: Long-running espionage campaign targets phone carriers to snoop on VIPs' location, call records

Hackers infiltrated the networks of at least ten cellular telcos around the world, and remained hidden for years, as part of a long-running tightly targeted surveillance operation, The Register has learned. This espionage campaign is still ongoing, it is claimed.

Cyber-spy hunters at US security firm Cybereason told El Reg on Monday the miscreants responsible for the intrusions were, judging from their malware and skills, either part of the infamous Beijing-backed hacking crew dubbed APT10 – or someone operating just like them, perhaps deliberately so.

Whoever it was, the snoops apparently spent the past two or more years inside ten-plus cellphone networks dotted around the planet. In some cases, we're told, the hackers were able to deploy their own VPN services on the telcos' infrastructure to gain quick, persistent, and direct access to the carriers rather than hop through compromised internal servers and workstations. These VPN services were not detected by the telcos' IT staff.

"It is straight up brazen," Cybereason principal security researcher Amit Serper told El Reg hours earlier. "They figured out there was a lot of lag in using hacked machines, and said: let's install a VPN and get it over with. I don't know if there is even [networking monitoring] coverage of those connections going in and out."

Hundreds of gigabytes of personal information

The undetected VPN deployments underscore just how deeply the hacker crew was able to drill into the unnamed telcos and compromise pretty much everything needed to get the job done. The gang sought access to hundreds of gigabytes of phone records, text messages, device and customer metadata, and location data on hundreds of millions of subscribers.

This was all done, we're told, to spy on and gather the whereabouts of some 20 to 30 high-value targets – think politicians, diplomats, and foreign agents. The hackers and their masters would thus be able to figure out who their targets have talked to, where they work and stay, and so on.

Having picked up signs of intrusions earlier this year, Cybereason's team has been investigating ever since, dubbing the cyber-attacks Operation Soft Cell. They said they found the hackers had been extremely patient in their approach, stealthily operating their spy campaigns by only acting precisely and periodically. Useful internal data would be compressed and encrypted using a passphrase prior to exfiltration via, if necessary, multiple bounce boxes.

Typically, Serper said, the snoops would slip through a phone network's defenses by exploiting a known vulnerability in one of the corporation's public-facing servers, such as a web server running Microsoft IIS. From there, the crew would install a webshell – such as China Chopper, favored by the Middle Kingdom's hackers – to execute arbitrary commands. From this foothold, the intruders would then very slowly tip-toe into other parts of the network, moving from system to system harvesting staff credentials, and using each freshly compromised machine to get into another in the telco's Active Directory.

A modified version of Mimikatz was used to extract login details out of hijacked Windows boxes, and a NetBIOS scanner was used to find computers to attack on the local network. Backdoors, such as the PoisonIvy remote-access tool, would be installed on systems to remotely control them and steal information.


China's tech giants are a security threat to the UK, says Brit spy bigwig


To cover their tracks, the hackers would have long periods of inactivity.

"They come in, they do something, and they disappear for one to three months," said Serper. "Then they come in again, disappear, and so forth."

Such lulls in activity are not unprecedented, particularly when it comes to hacking groups from China. Espionage campaigns by the Middle Kingdom's APT groups will sometimes be put on ice for years in between flurries of activity.

The thought of hackers sitting on a network undetected for years at a time with their own private tunnel into the most sensitive silos of company data should be enough to send any infosec pro through the roof, though Cybereason cautioned against being too hard on the compromised telcos – said to be based across the world, from Europe and Africa to Asia and the Middle East, though outside North America. More operators pwned by this particular gang may be discovered, bear in mind. Cybereason said it has alerted those that it knows have been broken into.

Even if the telcos had spotted the intrusions, keeping out a determined and methodical hacking operation with the resources of the Chinese government, or similar, would be a tall order for many cellular operators.

"They [the intruders] have very talented people, and a lot of people, and time to do whatever they need to do," Cybereason's security practices veep Mor Levi told us. "That is versus a company that even, if their security team had 50 people, it is not something you can prepare against: it is David and Goliath." ®

Similar topics

Other stories you might like

  • India reveals home-grown server that won't worry the leading edge

    And a National Blockchain Strategy that calls for gov to host BaaS

    India's government has revealed a home-grown server design that is unlikely to threaten the pacesetters of high tech, but (it hopes) will attract domestic buyers and manufacturers and help to kickstart the nation's hardware industry.

    The "Rudra" design is a two-socket server that can run Intel's Cascade Lake Xeons. The machines are offered in 1U or 2U form factors, each at half-width. A pair of GPUs can be equipped, as can DDR4 RAM.

    Cascade Lake emerged in 2019 and has since been superseded by the Ice Lake architecture launched in April 2021. Indian authorities know Rudra is off the pace, and said a new design capable of supporting four GPUs is already in the works with a reveal planned for June 2022.

    Continue reading
  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading

Biting the hand that feeds IT © 1998–2021