Operation Soft Cell: China’s Campaign Using Privileged Access Credentials to Spy
on Mobile Subscribers for Seven Years


JULY 2019

By: Ali Gomulu

Security researchers from cybersecurity firm Cybereason last month shared findings of their investigation into a massive hacking initiative, impacting many of the world’s largest telecommunications providers.

Cybereason said “Operation Soft Cell” compromised companies in more than 30 countries with access into a massive amount of personal data from individuals and companies.

Media reports said the alleged spying operation is possibly linked to state actors of China.

Cybereason is an Israel-based startup founded by former members of the Unit 8200 military intelligence division in 2012. Their business model is based on providing information to their customers based on the immediate detection of attacks. The company isolates components that are part of the attack, then look for other pieces of information that are part of the attack.

“In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network,” Cybereason said in a statement.

According to the investigation findings, the hacking campaign has gone on for seven years and involved in the theft of call records from cellular network providers. The hacker group conducted surveillance on target individuals working in law enforcement, government, and politics.

“During the persistent attack, the attackers worked in waves – abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques,” Cybereason added.

Describing the hacking espionage was on a massive scale, the Cybereason’s CEO and co-founder Lior Div said, “This advanced attack used a low-n-slow attack paradigm which circumvents almost all detection capabilities in the market today. This isn’t a smash-and-grab campaign to steal money or social security numbers. These hackers have very specific motives and are running a highly targeted, persistent operation to own the networks and track a very targeted list of high-profile individuals on different continents.”

How did the attackers get away with this for seven years?

Compromising credentials.

A similar campaign, named Operation Socialist, leveraged privileged access and privileged accounts to hack into telecommunication systems.

For both campaigns, the groups compromised privileged accounts, enabling them the same access to all the systems those administrators had control over.

More sophisticated adversaries who want broad and often quiet access to a telecommunications company’s data, where they have free range to access metadata, location, calls and text messages.

Chinese actors never stop. Last month Reuters reported extensive new details about the global hacking campaign, known as Cloud Hopper and attributed to China by the United States and its Western allies.

They say hackers working for China’s Ministry of State Security broke into networks of eight of the world’s biggest technology service providers to steal commercial secrets from their clients, according to sources familiar with the attacks.

Hewlett Packard Enterprise, IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology were among the victims of the Cloud Hopper attack.

More than a dozen victims who were clients of the service providers have been identified as Swedish telecoms giant Ericsson, US Navy shipbuilder Huntington Ingalls Industries and travel reservation system Sabre.

According to Reuters, Ericsson said it does not comment on specific cybersecurity incidents. “While there have been attacks on our enterprise network, we have found no evidence in any of our extensive investigations that Ericsson’s infrastructure has ever been used as part of a successful attack on one of our customers,” a spokesman said.

The Chinese government has consistently denied all accusations of involvement in hacking. The Chinese Foreign Ministry said Beijing opposed cyber-enabled industrial espionage. “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,” it said in a statement to Reuters.

While the attempts to blur responsibility continue, one thing holds true: any and every global enterprise and organization is responsible for taking every measure possible to secure their domains; locking down the credentials of privileged users, including network administrators, is one of the most powerful ways to defend against attacks and the massive risks associated with them.

Learn more about Ironsphere’s PAM capabilities here.

Similar Blogs

Enterprise Risk Appetite Frameworks Should Include PAM

Enterprise Risk Appetite Frameworks Should Include PAM

Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”

read more