Researchers at US-Israeli cybersecurity firm Cybereason unveiled on Tuesday the findings of a large-scale investigation they conducted into a massive hacking campaign that involved nearly a dozen global telecom companies and huge amounts of stolen personal data from individuals across multiple continents as part of an alleged spying operation with possible links to China.
Cybereason said its Nocturnus team identified “an advanced, persistent attack” on telecommunications providers “carried out by a threat actor using tools and techniques commonly associated with the Chinese-affiliated threat actor APT10,” also known as Menupass Team.
Get our weekly newsletter directly in your inbox!Sign up
Cybereason unveiled the key findings of its investigation, dubbed “Operation Soft Cell,” in a comprehensive blog post. According to the findings, the hacking campaign spanned at least seven years and involved the theft of call records from cellular network providers so that hackers could conduct surveillance on targeted individuals likely working in law enforcement, government, and politics.
The multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network. “During the persistent attack, the attackers worked in waves – abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques,” the Cybereason team said.
The attackers compromised companies in more than 30 countries, Cybereason said, adding that “the state-sponsored adversaries” stole personally identifiable information (such as billing data, call detail records and credentials) that may have amounted to “fully tracking of locations, meetings and texts.”
The investigation spanned nine months, and showed how “nation-state adversaries, likely sponsored by the Chinese government, have taken over the IT networks of many cellular providers resulting in the theft of hundreds of gigabytes of data,” the company said in a statement.
Cybereason’s CEO and co-founder Lior Div said the hacking operation was on a “massive scale.”
“This advanced attack used a low-n-slow attack paradigm which circumvents almost all detection capabilities in the market today,” said Div in the blog post. “This isn’t a smash-and-grab campaign to steal money or social security numbers. These hackers have very specific motives and are running a highly targeted, persistent operation to own the networks and track a very targeted list of high-profile individuals on different continents.”
In what Cybereasn called the “brazen attack,” the hackers deployed their own VPN within the networks and set up more than a dozen active IT admin accounts.
“The hackers have stolen hundreds of gigabytes of information and have access to geolocation information on individuals, knowing their exact movements by day and night,” said Amit Serper, senior director and head of security research at Cybereason. “If individuals travel overseas, the hackers know it. If the person is attending a concert, the hackers know it and they can use this information to identify a convenient time in operations and campaigns they are carrying out.”
Cybereason wrote in its report that the attack has “widespread implications, not just for individuals, but also for organizations and countries alike.”
“The use of specific tools and the choice to hide ongoing operations for years points to a nation-state threat actor, most likely China. This is another form of cyber warfare being used to establish a foothold and gather information undercover until they are ready to strike,” the Cybereason team explained.
Cybereason was founded in 2012 by Div, Yossi Naar, and Yonatan Amit. It is headquartered in Boston, with offices in London, Tel Aviv and Tokyo. The company has so far raised a total of $189 million from investors, including Lockheed Martin, Spark Capital, CRV and SoftBank.