China-Linked Hackers Have Breached Deep Inside Teleco Providers and Have Complete Control of Data and Networks
Researchers have uncovered a major international espionage campaign that is ongoing and has been in progress for several years. The targets, the purpose, and the TTPs strongly suggest that this is a nation-state operation that most probably originates from China.
Cybereason Nocturnus researchers have discovered that attackers have gained such a strong presence in numerous telecommunications companies that they effectively control the networks. From within those networks they are able to run their own queries to discover — and exfiltrate — mobile phone users’ call data records at will.
“What we’re talking about,” Amit Serper, head of security research at Nocturnus, told SecurityWeek, “is a global campaign against mobile telecoms companies. The attackers are hacking into the service providers, completely controlling the network, and exfiltrating an obscene amount of data out of them. We’re talking about gigabytes of data.”
This means that if a person of interest’s mobile phone number is known to the attackers, they can get a complete view of that person’s life: “Where you live, when you get up, where you work, who you speak to, which route you take to get to work — basically, a complete outline map of your day,” said Serper. “This information is only relevant to an intelligence service. This is an intelligence gathering operation by a foreign nation. So far, everything points very strongly back to China.”
The user details are obtained from within the target network. These are not attacks that break in and steal whole databases. The attackers gain presence and then query the databases from inside the networks and only download responses of interest. Overall, hundreds of gigabytes have been downloaded, but always in relatively smaller amounts to avoid egress detection.
Hundreds of millions of phone users around the world are affected, and Cybereason’s Nocturnus researchers believe that the primary targets may be foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement officers — and the primary purpose is espionage.
While the phone number is the key to most searches, the network occupation is so thorough that it could be used to identify new persons of interest. Regular routes between a residential area and an FBI office could, for example, indicate the phone number of an FBI agent. “It’s just a question of developing the right queries,” Serper told SecurityWeek
After detecting the attack against one of its own customers, Cybereason scanned for similar tools elsewhere and discovered them with other telecommunications companies around the world. “That’s when we realized that this is a global campaign, and not just something targeting a single company,” Serper told SecurityWeek.
The threat actor made sure that each payload has a unique hash, and some payloads were packed using different types of packers, both known and custom. Nevertheless, the primary tools used in the attacks are similar. A modified version of the China Chopper shell was used for initial compromise, with custom built web shells used in later stages of the attack.
A modified version of Nbtscan was used to identify available NetBIOS name servers locally or over the network, while multiple Windows built-in tools were used for various tasks, including whoami, net.exe, ipconfig, netstat, portqry, and more. WMI and PowerShel commands were used for various tasks.
The Poison Ivy RAT, commonly associated with Chinese state actors, was used to maintain access across the compromised assets.
A modified version of Mimikatz was used to dump credentials, while WMI and PsExec were employed for lateral movement. Winrar was used to compress and password-protect stolen data, and a modified version of hTran was used to exfiltrate the data.
This is a long-term and ongoing operation. Serper told SecurityWeek that he had seen evidence that the campaign goes back at least seven years. The attackers are now so deeply embedded in their victims’ systems that they effectively own the networks. Their approach has been different to the usual approach of breaking in, and stealing and exfiltrating as much data as quickly as possible. These attackers have broken in, and quietly consolidated their position.
They have obtained all the networks’ credentials allowing them to query databases from within the telecommunications companies. There is no need for large-scale and noisy data exfiltrations — the attackers can simply search for and steal specific call records. It is such low, slow and stealthy occupation that has enabled the hacks to remain undetected for so long.
One worrying aspect is that the intrusion is so deep and complete, the attackers could easily take down the networks — which are these days part of a country’s critical infrastructure. Nocturnus stresses that it is unable to definitively attribute the attacks, but points out that it is typical Chinese state behavior — gain access for reconnaissance purpose and just stay there.
The big question whenever a state actor is involved — and this is clearly state-sponsored activity — is which nation is the aggressor. “When we look at the tools and the methodologies, it screams APT10 or APT1 or APT3,” Serper told SecurityWeek. “Any one of those could be involved. The strongest likelihood is APT10.”
But he stressed that this cannot be definitively proven. “The thing is,” he continued, “the tools that are used in this operation are not new tools. Sometimes there are new versions of old tools — but it’s not like the state-of-the-art tools that APT10 is using nowadays.”
There could be two reasons for this. “Firstly,” he said, “this is an old operation that has been going on for years — and in some cases we have indications that it goes back as far as seven years — so it could be that it is APT10 still using old tools so as not to reveal their new ones. That’s one option.” Secondly, he added, “The other option is that many of these old tools have leaked online. So, a skillful attacker could take these tools and modify them and customize them and use them again. So it’s either APT10 using old tools, or it’s someone who is trying very hard to make it look like it’s APT10. But all the data we have supports the idea that this is APT10.”
