John P. Mello jr* says security researchers have linked Chinese hackers to a long-running cyber campaign against global telecommunications providers.
Security researchers last week reported that Chinese hackers are the likely perpetrators of a series of cyberattacks against telecommunications companies around the world.
The campaign, dubbed “Operation Soft Cell,” has been active since 2012, according to Cybereason, an endpoint security company based in Boston.
There is some evidence suggesting even earlier activity against the telecommunications providers, all of whom were outside North America, the researchers said.
The attackers attempted to steal all data stored in the active directory servers of the organisations, including all usernames and passwords, as well as other personally identifiable information, credentials, email servers, geo-location of users, and more.
Based on the tools used in the attacks and the tactics, the campaign likely was run by APT10, a notorious group of Chinese hackers, the researchers said.
The US Justice Department last year indicted two members of APT10 for conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft.
There is some solid evidence APT10 was behind the attacks, such as the way they customised PoisonIvy and the idiosyncratic bread crumbs they left behind, said Sam Curry, CSO at Cybereason.
“The way the customisation is done, the way they write the scripts, is the sort of thing we’ve seen time and again,” he told TechNewsWorld.
“There’s a high probability that it’s a Chinese hacker.”
Alarming attack
The hackers attacked organisations in waves launched over a period of months, the report notes.
During that time, they were able to map the target networks and compromise credentials, which enabled them to compromise critical assets — such as production and database servers.
“Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider,” the report states.
“Telecommunications has become critical infrastructure for the majority of world powers.”
“A threat actor with total access to a telecommunications provider … can attack however they want passively and also actively work to sabotage the network.”
“The use of specific tools and the choice to hide ongoing operations for years points to a nation-state threat actor, most likely China,” the Cybereason researchers wrote.
“This is another form of cyber warfare being used to establish a foothold and gather information undercover until they are ready to strike.”
There are similarities between Operation Soft Cell and another telecom attack, suggested Lavi Lazarovitz, a cyber research group manager at information security company CyberArk Labs.
“This widespread attack on telecommunications companies has similar characteristics to ‘Operation Socialist’,” he told TechNewsWorld.
Operation Socialist — a US and British government Agency campaign revealed by Edward Snowden — attempted to take control of the Belgian telecommunications company Belgacom.
Useful information
Information reaped by campaigns like Operation Soft Cell can be invaluable to a foreign intelligence service, noted Jonathan Tanner, a senior security researcher at Barracuda Networks.
“Tracking a target’s daily routines alone can be useful for a number of motivations, ranging from enumerating contacts to asset recruitment, to abduction or assassination,” he told TechNewsWorld.
That sort of work traditionally is carried out by surveillance teams, but with technology it’s becoming increasingly easy to gain that information by other means with significantly less manpower, Tanner explained.
Stolen data from telcoms can be valuable to more than just Chinese intelligence Agencies.
“This type of attack would greatly help Huawei in their fight to control as much of the 5G space as possible,” said Jonathan Olivera, a threat analyst for Centripetal Networks.
“When a country like China relies on surveillance and intellectual property theft to keep its momentum going, it will be hard to stop and prevent expansion.”
Familiar playbook
The breadth and persistence of the attacks aren’t the only discouraging characteristics of Operation Soft Cell.
“This plays out like every other hack that we’ve heard about in a major organisation for years and years,” said Chet Wisniewski, principal research scientist at network security and threat management company Sophos.
“It’s clear that these big companies are not taking this stuff seriously enough, especially the ones that have sensitive information about us.”
“The giant role these companies play in our lives demands that they take security more seriously.”
“The attacks didn’t have any super secret stuff.”
“There were no new zero-day vulnerabilities here — no new tools that no one had ever heard of before.”
“All the stuff was off the shelf.”
“We know this playbook,” Wisniewski added, “and big companies should be able to defend against it.”
Cold war in cyberspace
Campaigns like Operation Soft Cell are likely to continue without abatement, noted Satya Gupta, CTO of Virsec, an applications security company.
“These attacks will continue for the foreseeable future, as long as there is political tension and unrest in any number of regions,” he told TechNewsWorld.
“Infrastructure attacks on all sides are trying to sow uncertainty, which has both political and financial value to the perpetrators.”
As for China, it seems content with economic espionage, for the most part, but that could change in the future, too.
“As long as we’re involved in trade wars, I’m not as worried as if China starts to feel threatened about its sphere of influence,” said Richard Stiennon, chief research analyst at IT Harvest.
“If it’s trade wars, China’s target of interest will be the same as it’s always been: economic espionage.”
“If it’s sphere-of-influence stuff, then the targets of interest could escalate dramatically.”
“We are essentially in a cyber cold war, and many of the same factors still apply regarding escalation of hostilities and the overall desire to avoid an actual war as a result of ongoing activities,” Barracuda’s Tanner added.
“Countries will continue to push the boundaries, but a major increase in attacks runs the risk of being seen as an act of war, which no country wants.”
* John P. Mello jr is a reporter for ECT News Network.
This article first appeared at www.technewsworld.com.