Connect with us

Hi, what are you looking for?



Telcos Pwned: Multi-Wave Attacks Stealing ‘Obscene Amount of Data’ From Providers

China-Linked Hackers Have Breached Deep Inside Teleco Providers and Have Complete Control of Data and Networks

China-Linked Hackers Have Breached Deep Inside Teleco Providers and Have Complete Control of Data and Networks

Researchers have uncovered a major international espionage campaign that is ongoing and has been in progress for several years. The targets, the purpose, and the TTPs strongly suggest that this is a nation-state operation that most probably originates from China.

Cybereason Nocturnus researchers have discovered that attackers have gained such a strong presence in numerous telecommunications companies that they effectively control the networks. From within those networks they are able to run their own queries to discover — and exfiltrate — mobile phone users’ call data records at will.

“What we’re talking about,” Amit Serper, head of security research at Nocturnus, told SecurityWeek, “is a global campaign against mobile telecoms companies. The attackers are hacking into the service providers, completely controlling the network, and exfiltrating an obscene amount of data out of them. We’re talking about gigabytes of data.”

This means that if a person of interest’s mobile phone number is known to the attackers, they can get a complete view of that person’s life: “Where you live, when you get up, where you work, who you speak to, which route you take to get to work — basically, a complete outline map of your day,” said Serper. “This information is only relevant to an intelligence service. This is an intelligence gathering operation by a foreign nation. So far, everything points very strongly back to China.”  

The user details are obtained from within the target network. These are not attacks that break in and steal whole databases. The attackers gain presence and then query the databases from inside the networks and only download responses of interest. Overall, hundreds of gigabytes have been downloaded, but always in relatively smaller amounts to avoid egress detection.

Hundreds of millions of phone users around the world are affected, and Cybereason’s Nocturnus researchers believe that the primary targets may be foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement officers — and the primary purpose is espionage.

Advertisement. Scroll to continue reading.

While the phone number is the key to most searches, the network occupation is so thorough that it could be used to identify new persons of interest. Regular routes between a residential area and an FBI office could, for example, indicate the phone number of an FBI agent. “It’s just a question of developing the right queries,” Serper told SecurityWeek

After detecting the attack against one of its own customers, Cybereason scanned for similar tools elsewhere and discovered them with other telecommunications companies around the world. “That’s when we realized that this is a global campaign, and not just something targeting a single company,” Serper told SecurityWeek.

The threat actor made sure that each payload has a unique hash, and some payloads were packed using different types of packers, both known and custom. Nevertheless, the primary tools used in the attacks are similar. A modified version of the China Chopper shell was used for initial compromise, with custom built web shells used in later stages of the attack.

A modified version of Nbtscan was used to identify available NetBIOS name servers locally or over the network, while multiple Windows built-in tools were used for various tasks, including whoami, net.exe, ipconfig, netstat, portqry, and more. WMI and PowerShel commands were used for various tasks.

The Poison Ivy RAT, commonly associated with Chinese state actors, was used to maintain access across the compromised assets.

A modified version of Mimikatz  was used to dump credentials, while WMI and PsExec were employed for lateral movement. Winrar was used to compress and password-protect stolen data, and a modified version of hTran was used to exfiltrate the data.

This is a long-term and ongoing operation. Serper told SecurityWeek that he had seen evidence that the campaign goes back at least seven years. The attackers are now so deeply embedded in their victims’ systems that they effectively own the networks. Their approach has been different to the usual approach of breaking in, and stealing and exfiltrating as much data as quickly as possible. These attackers have broken in, and quietly consolidated their position.

They have obtained all the networks’ credentials allowing them to query databases from within the telecommunications companies. There is no need for large-scale and noisy data exfiltrations — the attackers can simply search for and steal specific call records. It is such low, slow and stealthy occupation that has enabled the hacks to remain undetected for so long.

One worrying aspect is that the intrusion is so deep and complete, the attackers could easily take down the networks — which are these days part of a country’s critical infrastructure. Nocturnus stresses that it is unable to definitively attribute the attacks, but points out that it is typical Chinese state behavior — gain access for reconnaissance purpose and just stay there.

The big question whenever a state actor is involved — and this is clearly state-sponsored activity — is which nation is the aggressor. “When we look at the tools and the methodologies, it screams APT10 or APT1 or APT3,” Serper told SecurityWeek. “Any one of those could be involved. The strongest likelihood is APT10.”

But he stressed that this cannot be definitively proven. “The thing is,” he continued, “the tools that are used in this operation are not new tools. Sometimes there are new versions of old tools — but it’s not like the state-of-the-art tools that APT10 is using nowadays.” 

There could be two reasons for this. “Firstly,” he said, “this is an old operation that has been going on for years — and in some cases we have indications that it goes back as far as seven years — so it could be that it is APT10 still using old tools so as not to reveal their new ones. That’s one option.” Secondly, he added, “The other option is that many of these old tools have leaked online. So, a skillful attacker could take these tools and modify them and customize them and use them again. So it’s either APT10 using old tools, or it’s someone who is trying very hard to make it look like it’s APT10. But all the data we have supports the idea that this is APT10.” 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...