Posted on June 26, 2019 at 11:41 AM
The online threats continue to emerge around the world, with hackers choosing bigger and bigger targets every time they strike. According to the new information published by an Israeli-U.S. cybersecurity firm, Cybereason, the so-called nation-state hackers have seemingly compromised systems of ten — possibly more — cellular carriers around the world.
Their goal, according to the report, was to steal metadata of specific users. So far, experts were not able to deliver definitive proof, but it is suspected that both the hackers, as well as the targeted individuals, are linked to China. Furthermore, the report opted not to name affected carriers. However, it did mention that the attack’s scale and sophistication carriers the marks of a nation-state action.
Campaign details revealed
Researchers have named this series of attacks, calling it Operation Softcell. They believe that the targets are dissidents and military officers with links to China. They also suspect that hackers are backed by the Chinese government. Meanwhile, while the carriers were not named, the report admitted that they were located in numerous areas of the world, including Africa, Asia, the Middle East, and even Europe. So far, it is believed that none of the targeted cellular network carriers are US-based.
Another thing that the report points out is that such attacks have been performed at least since 2017. Attackers were targeting data that was kept in active directories. Along with the actual targeted data, hackers were also able to compromise all other usernames and passwords, as well as other data, such as billing information, credentials, users’ location, call details, email servers, and alike.
After the attacks were detected, the attackers would pull back, ceasing their actions. However, when it would seem that the telecommunication companies stopped keeping such a close watch, they would return and continue with the attack.
Naturally, the implications of the infiltration are very significant and beyond serious. If successful, hackers would be able to conduct deep intelligence harvesting and compromise millions apart from their actual targets. Not only that, but this level of access could also allow them to take control of the entire network, disrupt it, or even crash it if they choose to do so.
Some reports claim that Cybereason’s Chief Executive, Lior Div, already gave a briefing regarding the attacks to over two dozen global carriers recently. The firms that were already compromised were furious and in disbelief when notified. Div also stated that such a mass espionage ability was never witnessed before.
As for the harvested data, it is believed that it has quite a real value to intelligence agencies, which are able to analyze it and note specific patterns, particularly when it comes to metadata. There is no confirmation that content of messages or calls has been retrieved yet, but even if not — intelligence agencies would be able to analyze the data and determine who talked to who, when the calls took place, how long they laster, and more.
This poses a direct threat to the network users’ privacy, as well as their physical security, as the analysis could also reveal their locations. Whenever this type of data is collected by the intelligence agencies of the US or the UK, there is a considerable privacy backlash. Not only that, but this particular campaign apparently went far beyond what the government agencies were ever aiming to collect.
The attackers believed to be sponsored by Chinese government
Cybereason attempted to identify the hackers, and while the security firm currently lacks any definitive proof — it remains convinced that the group behind the attack is Chinas Advanced Persistent Threat 10 (APT10). In the past, this particular group was always known for persistent, long-term campaigns where they would continuously harvesting data.
The group is known for its patience, which is typically rewarded with successful hacking campaigns. This particular campaign is believed to have been running for about seven years. Another of the group’s targets is believed to be NASA itself, which also recently admitted to being hacked. As mentioned, there is no proof that the group is responsible yet. Cybereason stated that it is entirely possible that another, the non-Chinese group is the culprit, and that they simply attempted to use the methods of APT10, so that this particular group would be blamed.
However, this is unlikely, as domains, servers, IP addresses, and more all come from China and surrounding countries. Other security firms, such as Crowdstrike and FireEye, which are experts when it comes to APT10, did not find enough proof to confirm Cybereason’s claims. They believe that Russian and Iranian state-sponsored hackers are equally as capable of conducting this type of attack.
So far, it is believed that one of the reasons for the attack might be due to the current US campaign against Chinese telecoms equipment manufacturers. The US has banned Huawei recently, and there are rumors that exposing these kinds of vulnerabilities might be used by China to gather intelligence from foreign countries. All of this keeps Cybereason convinced that China is the culprit, acting through APT10.