Telecommunication Industry Under Attack, Possibly by APT10 Group

Researchers from Cybereason have identified a Cyber Attack campaign targeting Telecommunication sectors from worldwide by Chinese affiliated threat actor APT10. Cybereason has named this campaign Operation Soft Cell, and mentioned in their report published this week that this campaign is active since 2012.

As per Cybereason report “The attack was aiming to obtain CDR records of a large telecommunications provider. The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”

Cybereason says this type espionage campaigns are mainly done by nation state sponsored threat actors, here APT10, which is linked to China affiliated threat actors.

Tools used by the threat actors –

The threat actors used China Chopper web shell in the attack campaigns. China Chopper web shell was first used in 2012. China Chopper web shell is commonly used by Chinese threat actors. Many Chinese threat actors like APT 27 and APT 40 used this China Chopper web shell in past.

In this attack campaign threat actors launched nbtscan tool. nbtscan tool is use by APT10 threat actors. With this tool threat actors identify available NetBIOS name servers locally or over the network.

Threat actors also used a modified MIMIKATZ tool in this attack campaign.

PoisonIvy RAT was also used in this attack campaign by threat actors. Cybereason report described that PoisonIvy RAT is linked to Chinese Threat actors. Many Chinese threat actors like APT10, APT1, and DragonOK use this attack toolkit.

A modified version of HTRAN tool was used by the treat actors. HTRON tool is used by Chinese affiliated threat actors as APT3, APT27 and DragonOK.

Attack Motive

The motive behind this attack campaign was to steal Call Details Record. Call Details Data includes….

  • Source of a call
  • Destination of a call
  • Duration of call
  • Details of the device use to make a call
  • Physical location of the device to make a call
  • Device vendors and version

Nation threat actors steal these data, by stealing these data they get the answer of the following question, As the Cybereason report says

  • Who are the individuals talking to?
  • Which devices are the individuals using?
  • Where are the individuals traveling?

This type of information helps State Sponsored threat actors. By knowing this information they know about foreign intelligent agents, politicians, opposition candidates in an election.

This attack campaign is alarming because threat actors not only attacking individual, but also Telecommunication sectors. Telecommunication sector is considered critical infrastructure for a country.

“We have described an ongoing global attack against telecommunications providers that has been active since at least 2017. The threat actor managed to infiltrate into the deepest segments of the providers’ network, including some isolated from the internet, as well as compromise critical assets. Our investigation showed that these attacks were targeted, and that the threat actor sought to steal communications data of specific individuals in various countries.
 
Throughout this investigation, we have uncovered the infrastructure that facilitated the malicious operations taken by this threat actor. The data exfiltrated by this threat actor, in conjunction with the TTPs and tools used, allowed us to determine with a very high probability that the threat actor behind these malicious operations is backed by a nation state, and is affiliated with China. Our contextualized interpretation of the data suggests that the threat actor is likely APT10, or at the very least, a threat actor that shares, or wishes to emulate its methods by using the same tools, techniques, and motives.”  Cybereason stated in their report.

They also adds “It’s important to keep in mind that even though the attacks targeted specific individuals, any entity that possesses the power to take over the networks of telecommunications providers can potentially leverage its unlawful access and control of the network to shut down or disrupt an entire cellular network as part of a larger cyber warfare operation.”

Cybereason has recommend some security tips to avoid this attack campaign

1.      To prevent attack on web servers, web masters should use adding extra layers like using Web Application FW.

2.      Update (patch) Web Servers and Web Services.

3.      Try to expose only a few systems and ports to internet.

4.      Use Endpoint Detection & Response (EDR) tool so that if some security incident happen, immediate response can be taken.