Cyber attackers, believed to be Chinese state sponsored actors, infiltrated more than a dozen global telecom providers in a massive espionage campaign lasting at least seven years, security provider Cybereason said in a new report.
The state-sponsored adversaries stole personally identifiable information such as billing data, call detail records and credentials. Hundreds of gigabytes of call data records were lifted each time the hackers exfiltrated data, Cybereason said. The U.S-Israel firm’s research arm, which dubbed its investigation Operation Soft Cell, said the innumerable hacks had all the earmarks of the notorious APT10 crew believed to be linked to the Chinese Ministry of State. The tools and tactics, techniques and procedures used are commonly associated with APT10, Cybereason said.
Seven Takeaways from Cybereason’s Report
Poke around the report and you'll find these takeaways:
- The hackers carrying out the low and slow attack can circumvent existing detection technologies on the market today and be found only with very specific monitoring and correlation capabilities.
- With this campaign, attackers completely took over the IT network and were able to customize the IT infrastructure for their convenience, complete with their own VPN inside of the network.
- The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers and more.
- Some of the attacking tools used were disclosed, dumped, and even open sourced and are available to the general public.
- The attackers can do whatever they want passively, or they can choose to shut down entire networks. Foreign powers can use this to interfere with critical infrastructure in another country.
- The hackers have access to geolocation information on individuals, knowing their exact movements by day and night. If the individuals travel overseas, the hackers know it.
- During the persistent attack, the attackers worked in waves, abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques.
Four Security Recommendations
Cybereason offered this guidance to help customers lock down systems:
- Add an additional security layer for web servers. For example, use WAF (Web Application FW) to prevent trivial attacks on Internet-facing web servers.
- Expose as few systems or ports to the Internet as possible. Make sure that all web servers and web services that are exposed are patched.
- Use an endpoint detection and response tool to give visibility and immediate response capabilities when high severity incidents are detected.
- Proactively hunt in your environment for sensitive assets periodically.
APT10 Hacker Group: Who Are They?
APT10 has been tied to global computer intrusions for more than a decade, including thefts from managed service providers, nearly 50 technology companies and a host of U.S. government agencies, according to the U.S. Justice Department. Critical infrastructure, commercial activity, industries and technology are the threat actors’ preferred targets.
Along those lines, Cybereason’s nearly year-long investigation concluded that the cyber spies are using commercial, privately owned critical infrastructure companies as weapons in the cyber war. The security provider has declined to identify the telecoms affected or the countries of origin. To this point, it has briefed 25 telecoms, officials said.
“This isn’t a smash and grab campaign to steal money or social security numbers,” said Lior Div, Cybereason’s CEO and co-founder. “These hackers have very specific motives and are running a highly targeted, persistent operation to own the networks and track a very targeted list of high-profile individuals on different continents.”
It is a government, not a criminal group, that has capabilities carry out the attack, he told Reuters.
Hackers Target MSPs, Technology Service Providers
Telecom companies aren't the only service providers under attack. Among the key developments to track:
- China hacked at least eight major technology solutions providers in a bid to access end-customer networks and steam information, Reuters alleges.
- Following one recent attack, an MSP bowed to hacker demands and paid more than $150,000 to recover data.
- In another ugly twist, some IT consulting firms and cybersecurity companies that claim to clean up ransomware are secretly paying attackers as part of their ransomware recovery services.
Amid those challenges, the MSP industry (spanning technology companies, service providers and more) could soon face a “crisis of credibility” if the market doesn’t take major steps to more effectively mitigate ransomware threats, cyberattacks and associated fallout, ChannelE2E and MSSP Alert believe.
Additional insights from Joe Panettieri.