Hackers likely associated with the Chinese government broke into at least 10 global telecom carriers, stealing call logs, users’ locations and text-messaging records, according to a report from Boston-based Cybereason. The cybersecurity firm spent 2018 scrutinizing a multi-year, ongoing campaign, suspected to be directed by China and aimed at 20 military officials, spies, law enforcement and dissidents in Africa, Asia, Europe and the Middle East. Cybereason believes the recent hacks point to Chinese group APT10.
The Wall Street Journal reports that Cybereason, which is run by former Israeli counterintelligence personnel, would not name the telecom firms or individuals, and has dubbed the recent campaign “Operation Soft Cell.” Cybereason claimed that the hack exposed the carriers’ entire active directory — millions of users — and chief executive Lior Div said, “we never heard of this kind of mass-scale espionage ability to track any person across different countries.”
WSJ was not able to independently confirm the report, and China has “consistently denied perpetrating cyberattacks,” But EfficientIP, another cybersecurity firm, reported in 2018 that, “some three of every 10 global carriers have had sensitive information stolen from hacking attacks.”
Although the massive attack on assets that could be monetized is more like the kind of hack carried out by criminal groups, HPE company Aruba vice president of security solutions marketing Larry Lunetta said, “nation-state groups are no doubt the top of the food chain.” Operation Soft Cell “largely unfolded on existing 4G LTE networks,” again raising the specter that 5G networks “could be vulnerable to hacking.”
Cybereason head of security research Amit Serper confirmed that the telecom hack “used APT10-linked procedures and techniques, including a web shell used to steal credentials and a remote-access tool … [but Cybereason said] it couldn’t be ruled out that a non-Chinese actor mirrored the attacks to appear as if it were APT10, as part of a misdirection.” Still, added Div, “the servers, domains and Internet-protocol addresses came from China, Hong Kong or Taiwan.”
Based on its history, APT10 historically goes “after data that is strategic and not immediately monetizable.” In December last year, two alleged members of APT10 were indicted by the U.S. Department of Justice for “broad-ranging hacks against Western businesses and government agencies.” The group has been “less visibly active” since then, but FireEye Intelligence senior manager of cyber espionage analysis Ben Read said the group is “likely still around.”
Australia, Japan and the U.K. are among other countries that have “accused China of attempting to hack their government agencies and local companies.”