Persistent Telco Data Theft: Is China to Blame?
At least 10 cell providers have been compromised, losing the call data records (CDRs) for “hundreds of millions” of customers. The researchers who found the hacks are calling it Soft Cell, suspecting a Chinese state-sponsored group, known as APT10.
This is huge. These hackers seem to have been working at it for years.
Sometimes I feel I’ve got to run away. In today’s SB Blogwatch, we’ve got to get away.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: taint.
VIP CDR Vuln
What’s the craic? Shaun Nichols drives pain into the heart of the story—“Revealed: Long-running espionage campaign targets phone carriers”:
Hackers infiltrated the networks of at least ten cellular telcos around the world, and remained hidden for years. … This espionage campaign is still ongoing, it is claimed.
…
Cybereason [says] the miscreants responsible for the intrusions were … either part of the infamous Beijing-backed hacking crew dubbed APT10 – or someone operating just like them. … The gang sought access to hundreds of gigabytes of phone records, text messages, … metadata, and location data on hundreds of millions of subscribers. [They] spent the past two or more years inside ten-plus cellphone networks … from Europe and Africa to Asia and the Middle East.
…
[There were] 20 to 30 high-value targets – think politicians, diplomats, and foreign agents, [say researchers] dubbing the cyber-attacks Operation Soft Cell.
The love Zack Whittaker shares seems to go nowhere—“At least 10 cell networks have been hacked over the past seven years”:
Call detail records — or CDRs — are the crown jewels of any intelligence agency’s collection efforts. These call records are highly detailed metadata logs generated by a phone provider to connect calls and messages from one person to another.
…
The researchers found the hackers got into one of the cell networks by exploiting a vulnerability on an … web server to gain a foothold onto the provider’s internal network. … The hackers continued to exploit each machine they found … to gain deeper access.
…
The Chinese government has long denied allegations of hacking against the West. … A spokesperson for the Chinese consulate in New York did not comment.
And I’ve lost my light, for Mor Levi, Assaf Dahan, and Amit Serper toss and turn—they can’t sleep at night:
Threat actors, especially those at the level of nation state, are seeking opportunities to attack … organizations, conducting elaborate, advanced operations to gain leverage, seize strategic assets, and collect information. When successful, these attacks often have huge implications.
…
We’ve concluded with a high level of certainty that [this] threat actor is affiliated with China and is likely state sponsored. … The initial indicator of the attack was a malicious web shell … a modified version of the China Chopper … commonly used by malicious Chinese actors.
…
One of the reconnaissance commands was to run a modified nbtscan tool … to identify available NetBIOS name servers. … The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes. … They dumped specific hives from the Windows Registry.
…
[Then] they began to move laterally [to] production servers and database servers [even] full control of the Domain Controller [creating] rogue, high-privileged domain user accounts [to] maintain access between different waves of the attack.
…
For a nation-state … obtaining access to [CDR] data … lets them answer questions like:
» Who are the individuals talking to?
» Which devices are the individuals using?
» Where are the individuals traveling?
…
This attack has widespread implications. … Telecommunications has become critical infrastructure for the majority of world powers. … Any entity that [can] take over the networks of telecommunications providers can … shut down or disrupt an entire cellular network as part of a larger cyber warfare operation.
Once, Paul Barton ran to you:
This is fascinating! … Great work.
Now, Chris Wysopal runs from you:
Who needs lawful collection? All the governments are doing it the hacker way now.
This tainted love Dan Cavender’s given:
What in the Hades is going on? The Chinese have declared Cyber-warfare on Americans!
The metadata is ours … not the companies the Chinese attacked. These phone companies … are accomplices in this crime!
Archtech gives you all a boy could give you:
What answer you get depends on whom you ask.
…
APT10? … I can’t help wondering what a Chinese or Russian security firm might have said, had anyone asked them.
Take my tears, cries ga-vu
Would have loved some [indicators of compromise] for this one. Looks more like a fairy tale than actual infosec report.
And that’s not nearly all from this Anonymous Coward:
But why would they need to go through an IIS server to hack the telco networks? There is Huewei equipment…
Oh right, sorry.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Martin Pearce (cc:by-nd)
