At least 10 major telecommunications companies operating all over the world have become victims of massive cyber espionage campaign involving the theft of call records from hacked cell network providers to conduct targeted surveillance on individuals of interest. The campaign dubbed “Operation Softcell” has been uncovered by cybersecurity outfit Cybereason while investigating a breach of the network of a new telco customer. Based on the tools and TTPs (Tactics, Techniques, and Procedures) used in the attacks the security research firm believes that “Operation Softcell” is the work of Chinese hackers APT10 (or a threat actor that shares, or wishes to emulate its methods by using the same tools and techniques).

According to Cybereason’s extensive report, the hackers penetrated and for at least two years occupied the networks of about 10 cellular providers in Africa, Europe, the Middle East and Asia obtaining massive amounts of call records. including times and dates of calls, and their cell-based locations. The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.

The attackers had extracted over 100GB of data from the primary telco assessed, and were using their access to so-called Call Detail Records (CDRs) to track the movements and interactions of high-profile individuals from various countries.

“The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. The threat actor attempted to compromise critical assets, such as database servers, billing servers, and the active directory,” said the researchers. While the first attempt to compromise the target network was unsuccessful the hackers resumed their attacks 2 more times in the span of a 4 month period.

The initial indicator of the attack was a malicious web shell that was detected on an IIS (Internet Information Services) server, coming out of the w3wp.exe process. This web shell is a modified version of the China Chopper web shell, which previously has been seen in the attacks conducted by several hacking groups. In this particular campaign the China Chopper was used to run reconnaissance commands and steal credentials, using a range of tools. One of the reconnaissance commands was to run a modified nbtscan tool (“NetBIOS nameserver scanner”) to identify available NetBIOS name servers locally or over the network. Nbtscan has been used by APT10 in “Operation Cloud Hopper” to search for services of interest across the IT estate and footprint endpoints of interest. It is also capable of identifying system information.

The next stage of the attack involved a modified version (maybemimi.exe.) of Mimikatz - a tool that dumps passwords from memory, as well as hashes, and PINs.

Another tool used included the RAT Poison Ivy. This used a DLL side-loading​ technique to stealthily load itself into memory, using a trusted and signed Samsung tool (RunHelp.exe). The RAT was used to maintain access across the compromised assets.

In later stages of the attack, the threat actor deployed two other custom-built web shells to launch reconnaissance commands, steal data, and download additional tools, including portqry.exe, renamed cmd.exe, winrar, and the notorious hTran.

“Once the threat actor mapped the network and obtained credentials, they began to move laterally. They were able to compromise critical assets including production servers and database servers, and they even managed to gain full control of the Domain Controller. The threat actor relied on WMI and PsExec to move laterally and install their tools across multiple assets,” added the researchers.