Security Experts:

Industry Reactions to Nation-State Hacking of Global Telcos

On June 25, 2019, Cybereason reported that hackers, most likely China's state affiliated APT10 group, had comprehensively hacked numerous telecommunications companies around the world.

The immediate purpose was to steal mobile phone call data records (CDR), and Cybereason believes the primary targets may be foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement officers. The long-term potential would be to destroy the telcos' networks in an attack against critical infrastructure.

Industry reactions to Norsk Hydro breach

SecurityWeek gathered the more interesting thoughts and comments on this report from some of the security industry's leading figures.

David Barton, CSO at Stellar Cyber, a Silicon Valley-based security analytics company:

"My first reaction is who are the telcos that were compromised? Are they US-based? I highly doubt they were. 


The attack methodology... is a great example of how defense in depth could have helped... Correlation of anomalous security events across the kill-chain is the only way to quickly detect and stop these types of attacks.


If proven that the attack was from a state actor (China), then international relations between the US and China will continue to deteriorate. President Trump has been vocal regarding cyber espionage against the United States. Additional actions by China would likely, if not already underway, elicit some form of cyber response. 


The telcos, depending on who was the target, will recover as in some countries they are the only choice available to consumers. Those telcos will however, have some pressure from regulatory bodies with regards to investment in cybersecurity tools to help address these types of attacks. 


In the US, telecom is considered part of the national infrastructure. These types of attacks continue to put pressure on our telecom infrastructure to be vigilant against cyber-attacks. Unless proven otherwise, this particular attack was probably not directed at US telecom companies."

Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions:

"Telco CDR data is extremely valuable information, both commercially and intelligence-related; so, it's no surprise that cybercriminals and nation states would be interested in obtaining such data. Telco's have been trying to monetize CDR data for years and it looks like some of that value may get impacted if it is ever disclosed publicly, such as we saw with the Panama Papers data breach back in 2016. 


However, with this recent data breach, we have to be extremely careful in calling it an attack since the motive of the data breach is not yet known. Only once the data has been actively abused can we then understand the motive as well as the actor behind it. If that data never gets abused, or disclosed publicly, then it is highly likely a nation state is behind this intelligence gathering data breach. However, focusing on China as the nation state behind this latest data breach is a shortsighted mindset given that many other governments around the world have been abusing this data for years, looking for loopholes around their own laws that prevent them from doing it."

Tom Kellermann, Chief Cybersecurity Officer at Carbon Black, a provider of endpoint security:

"The Chinese are operating on a 50-year plan to achieve information dominance. The island campaign against the MSPs target not only the Intellectual property of the MSPs but also to use the networks of the MSPs to island hop into their customer networks. Carbon Black research notes that island hopping is occurring 50% of the time in 2019. The West must suppress the overt Chinese colonization of our corporations. 


The challenge is that in order to root out the infestation we must wage a cyberinsurgency in cyberspace. Our existing perimeter-based security controls are failing in the wake of these attacks."

Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers:

"First, kudos to the research team at Cybereason for a well-documented and well written blog on the attack.


All the tools, tactics and techniques are the same or similar to what we have seen in many other attacks. Take the China Chopper Webshell used for remote access for example. This is the same tool that was used in the Equifax breach. Mimikatz, used for extracting credentials once on host, is so common practically every attacker uses it. I have a copy on my own pen test distro (Kali Linux).


The reason these tools are used are because they work.


The point being these attacks involved the use of already known tools common to anyone on the internet, yet the attacks still work. It tells me companies either have a lack of internal visibility or a lack of an ability to provide context to what they do see, which is important to prioritize what is approved or unapproved behavior."

Dimitri Sirota, CEO at BigID, a New York/Tel Aviv-based data protection and privacy company:

"What's interesting about this reporting is not that a bad actor would infiltrate a service provider to access individual data but really how methodical and prescriptive these break-ins appear. Like in the movie Inception, the perpetrators had a precise set of tools and tricks to go deeper and deeper into a network. First exploit a vulnerability in a server to access a server. Steal credentials. Use new credentials to access systems deeper in network. Conceal footsteps and then repeat. 


It speaks to both the sophistication of the hackers, but also, to the fact that like bank robbers of old they show a pattern and profile through their methods which provides a blueprint for security professionals to harden not just specific assets but also chains of vulnerability."

Harrison Van Riper, Strategy and Research Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions:

"A variety of threat actors, with varying motivations and capability levels, often target telecommunications companies. In this instance, Chinese threat groups were identified, but the Iranian espionage groups Chafer (aka APT39) and MuddyWater have both been reported targeting telecommunications companies this year as well. 


As the research suggests, this campaign was likely conducted to obtain sensitive information on specific individuals (rather than the telecommunications firms themselves). By obtaining CDR data, a threat actor can build knowledge of a target's contacts, the devices they are using to communicate, and their travel and movement patterns. 


This incident also highlights a company's supply chain exposure via their telecommunications provider, as they maintain a substantial amount of sensitive data on their customers, with the security of this data predominantly outside the control of its customers. Still, like any company which holds sensitive customer data and information, adequate protections are required, and this isn't an issue that's solely experienced by telecommunications companies."

Related: Operation Cloud Hopper: China-based Hackers Target MSPs

Related: 'Five Eyes' Nations Blame China for APT10 Attacks 

Related: New APT10 Activity Detected in Southeast Asia 

Related: China-linked APT10 Hackers Update Attack Techniques

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.