25 June 2019

Chinese hackers hit 10 major global telcos in a large-scale cyber espionage campaign


Chinese hackers hit 10 major global telcos in a large-scale cyber espionage campaign

At least 10 major telecommunications companies operating all over the world have become victims of massive cyber espionage campaign involving the theft of call records from hacked cell network providers to conduct targeted surveillance on individuals of interest. The campaign dubbed “Operation Softcell” has been uncovered by cybersecurity outfit Cybereason while investigating a breach of the network of a new telco customer. Based on the tools and TTPs (Tactics, Techniques, and Procedures) used in the attacks the security research firm believes that “Operation Softcell” is the work of Chinese hackers APT10 (or a threat actor that shares, or wishes to emulate its methods by using the same tools and techniques).

According to Cybereason’s extensive report, the hackers penetrated and for at least two years occupied the networks of about 10 cellular providers in Africa, Europe, the Middle East and Asia obtaining massive amounts of call records. including times and dates of calls, and their cell-based locations. The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.

The attackers had extracted over 100GB of data from the primary telco assessed, and were using their access to so-called Call Detail Records (CDRs) to track the movements and interactions of high-profile individuals from various countries.

“The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. The threat actor attempted to compromise critical assets, such as database servers, billing servers, and the active directory,” said the researchers. While the first attempt to compromise the target network was unsuccessful the hackers resumed their attacks 2 more times in the span of a 4 month period.

The initial indicator of the attack was a malicious web shell that was detected on an IIS (Internet Information Services) server, coming out of the w3wp.exe process. This web shell is a modified version of the China Chopper web shell, which previously has been seen in the attacks conducted by several hacking groups. In this particular campaign the China Chopper was used to run reconnaissance commands and steal credentials, using a range of tools. One of the reconnaissance commands was to run a modified nbtscan tool (“NetBIOS nameserver scanner”) to identify available NetBIOS name servers locally or over the network. Nbtscan has been used by APT10 in “Operation Cloud Hopper” to search for services of interest across the IT estate and footprint endpoints of interest. It is also capable of identifying system information.

The next stage of the attack involved a modified version (maybemimi.exe.) of Mimikatz - a tool that dumps passwords from memory, as well as hashes, and PINs.

Another tool used included the RAT Poison Ivy. This used a DLL side-loading​ technique to stealthily load itself into memory, using a trusted and signed Samsung tool (RunHelp.exe). The RAT was used to maintain access across the compromised assets.

In later stages of the attack, the threat actor deployed two other custom-built web shells to launch reconnaissance commands, steal data, and download additional tools, including portqry.exe, renamed cmd.exe, winrar, and the notorious hTran.

“Once the threat actor mapped the network and obtained credentials, they began to move laterally. They were able to compromise critical assets including production servers and database servers, and they even managed to gain full control of the Domain Controller. The threat actor relied on WMI and PsExec to move laterally and install their tools across multiple assets,” added the researchers.

Back to the list

Latest Posts

500 Chrome extensions secretly pilfered data from millions of users

500 Chrome extensions secretly pilfered data from millions of users

The extensions were part of a malvertising and ad-fraud campaign that has been active since at least since January 2019.
14 February 2020
Hamas-linked hackers target victims in Palestinian territories

Hamas-linked hackers target victims in Palestinian territories

The hackers exploit current geopolitical events to spy on Palestinian entities and individuals.
13 February 2020
The Outlaw hacking group returns with updated kit, targets businesses in the U.S and Europe

The Outlaw hacking group returns with updated kit, targets businesses in the U.S and Europe

The group used a combination of pre-existing tools and new techniques to monitor for programs that could detect its malware.
13 February 2020