Soft Cell targets specific individuals through global telecom networks

An attack on global telecoms carriers by suspected Chinese hackers targeted specific individuals such as military officials, dissidents, spies and law enforcement officials across Asia, Europe, Africa and the Middle East

Hackers have infiltrated the networks of at least ten major global telecom service providers and remained undetected for years, according to cyber-security research firm Cybereason. The ongoing move is part of a long-running snooping on targets such as military officials, dissidents, spies and law enforcement officials across Asia, Europe, Africa and the Middle East, said the firm.

"Earlier this year, Cybereason identified an advanced, persistent attack targeting telecommunications providers that has been underway for years, soon after deploying into the environment," said the research report. "Based on the data available to us, Operation Soft Cell has been active since at least 2017, though some evidence suggests even earlier activity by the threat actor against telecommunications providers."

According to the research, all indicators point towards China. "We’ve concluded with a high level of certainty that the threat actor is affiliated with China and is likely state sponsored. The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese ministry of state security (MSS)."

The initial phase started in early 2018 with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. As malicious activity was detected and remediated against, the threat actor stopped the attack.

The second wave hit several months later with similar infiltration attempts, along with a modified version of the web shell and reconnaissance activities. Defenders reacted swiftly and the snoops ceased and resumed their attack two more times in the span of four months. And the attacks focused on a narrow target of specific individuals and organisations, tailing them mostly through their call detail records (CDR), the research report said.

CDRs form a crucial part of global intelligence campaigns. They leave a trail of information about a person’s contact network, patterns of communication and the geography, among other details. 

"For a nation state threat actor, obtaining access to this data gives them intimate knowledge of any individuals they wish to target on that network. It lets them answer questions like: who are the individuals talking to, which devices are the individuals using, where are the individuals traveling," said the report. "Having this information becomes particularly valuable when nation-state threat actors are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement."

The presence of such individuals puts the organisations in their network under risk of foreign surveillance. "You may not think of your organisation as a target for espionage, but if your customer base includes government or intelligence employees, then you should reconsider that conclusion," said Tripwire vice president Tim Erlin.

"It’s incredibly difficult for a commercial organisation to mount an adequate defencse against a well-funded nation-state attacker. The scales are simply tipped in the attacker’s favour in terms of resources," he said.

Equally alarming is the threat posed by state-sponsored hackers taking control of a telecommunications provider, said the report. "Telecommunications has become critical infrastructure for the majority of world powers. A threat actor with total access to a telecommunications provider can attack however they want -- passively or actively -- to sabotage the network."

Individual telecom companies are rarely in a position to counter full-scale state-sponsored cyber-espionage, said Javvad Malik, security awareness advocate at KnowBe4. "One of the main reasons for this is the overall outlook to risk. We see that many times, attackers won't go after their target companies directly, rather they will try to target companies in the supply chain, who are less likely to think they have anything of importance to attackers."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews