Cell Networks Hacked by (Probable) Nation-State Attackers

A sophisticated attacker has successfuly infiltrated cell providers to collect information on specific users:

The hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records—including times and dates of calls, and their cell-based locations—on at least 20 individuals.

[…]

Cybereason researchers said they first detected the attacks about a year ago. Before and since then, the hackers broke into one cell provider after the other to gain continued and persistent access to the networks. Their goal, the researchers believe, is to obtain and download rolling records on the target from the cell provider’s database without having to deploy malware on each target’s device.

[…]

The researchers found the hackers got into one of the cell networks by exploiting a vulnerability on an internet-connected web server to gain a foothold onto the provider’s internal network. From there, the hackers continued to exploit each machine they found by stealing credentials to gain deeper access.

Who did it?

Cybereason did say it was with “very high probability” that the hackers were backed by a nation state but the researchers were reluctant to definitively pin the blame.

The tools and the techniques ­- such as the malware used by the hackers ­- appeared to be “textbook APT 10,” referring to a hacker group believed to be backed by China, but Div said it was either APT 10, “or someone that wants us to go public and say it’s [APT 10].”

Original report:

Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers.

The attack was aiming to obtain CDR records of a large telecommunications provider.

The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.

The tools and TTPs used are commonly associated with Chinese threat actors.

During the persistent attack, the attackers worked in waves—abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques.

Boing Boing post.

Tags: , , , , , ,

Posted on July 9, 2019 at 6:44 AM20 Comments

Comments

Sean July 9, 2019 7:40 AM

Mr Schneier has repeatedly called for a larger role of the government in security but so far we can conclude that the state is the worst enemy of the people.

The US gov gets call records (and recordings) by a threat of force (ie “laws”) and the China gov doesn’t even ask. Others fall somewhere in between.

Security will suck by default as long as the state has any say in how data is accessed, managed and protected. Even in this case where it’s likely a foreign government’s operation, citizens can’t get first hand info because the US government may not let telcos disclose full details.

Taylor July 9, 2019 10:45 AM

@Sean

My god have you ever worked in a regulated industry? Federal/State regulations are a godsend.

The only way to get many (or in my experience, most) organizations to do anything they don’t want to that is security related is to reference a government regulation that makes them do it.

Otherwise, they’ll opt for the more convenient or less expensive option and ‘Cyber Insurance’ every time until they fall on their faces hard and learn their lesson after
their customer’s data and confidence is already lost.

We need far more, not less, state action on security to help private enterprise as well as individual citizens/consumers protect themselves. It’s sad that the EU is leading on this when the US has a much stronger tech sector.

Clive Robinson July 9, 2019 11:22 AM

Well,

    The tools and the techniques ­- such as the malware used by the hackers ­- appeared to be “textbook APT 10,” referring to a hacker group believed to be backed by China, but Div said it was either APT 10, “or someone that wants us to go public and say it’s [APT 10].”

Somebody is a little wiser than most commentators.

I would say if you get “textbook” code with no other changes or augmentations, be suspicious, be very suspicious.

Even if there are changes and augmentations check them carefully very carefully…

Because we know there is code out there that can easily mimic a composer’s musical style enough to have caused even experts to think it was by the composer. Likewise we know there is code out there that can mimic an authors style beyond the ability of many experts to differentiate. Worse we know there is real time code out their that can fake in real time how a person would speak on the phone.

So the question is “Why would people have doubts about their being code available to some that could fake a software writers style?”.

Thus atribution on known code or suspected code writers style should be treated as not even circumstantial evidence. In fact it should be treated as sufficiently suspicious that it is being made to look like a particular entities code purely as a method of disinformation (we know the CIA and GCHQ have “false flag” tools by the bucket load).

Likewise care should be excercised over who the attackers were trying to get the records for.

Let me put it this way If I was realy interested in W you can be sure I would be mainly chasing after the records of A,B,C,M,N,O,X,Y,Z, with just one or two oddities such as D,E,K,L,P,Q and including W maybe but not quite least of all. Simply to hide my intent or “sow a story” about the targets, thus make those who are observing make incorrect assumptions about who is most likely to be watching the targets.

There is one thing however we can say, and that is the simple fact that they are so persistent and patient more than likely means they are,

1, Well funded.
2, Over a long period.

Thus the backer who ever they are is well resourced, thus apparently at either state or largish corporate level.

But are they? If you carry out an examination of both the Russian and US political processes, they show there are just a few individuals who for various political or business reasons could stump up the sort of money and effort to achive this sort of behaviour. Further they could easily hide behind other individuals so they look like a state level IC or LEO entity.

So don’t rule the possibility out ot is just an individual behind it.

Which unfortunatly leaves the question of what evidence is actually indicative of the real backer of these events?

Well the answer is not one most want to hear, and it’s the old fashioned intelligence gathering techniques of getting “boots on the ground” and wearing out shoe leather to get doubly or triply independently verifiable HumInt.

The type of ElInt and SigInt that is currently being made public is unfortunately way to easy to fake, and in most cases would be faked if an attacker is sufficiently cautious. Thus “low and slow” over a long period of time actually suggests a degree of caution in their approach and persistance.

Which still leaves us with finding the right “Why?” question.

Clive Robinson July 9, 2019 11:28 AM

@ Taylor,

It’s sad that the EU is leading on this when the US has a much stronger tech sector.

Have you thought about why this might be?

Could it be the “much stronger tech sector” is vuying off legislators? Primarily because it makes their lives oh so much easier?

Humdee July 9, 2019 2:34 PM

what is obviously missing from the article is a list of who the 20 people are. Knowing their identities would go a long way towards assigning blame or at least create more informed speculation.

Bob July 9, 2019 2:50 PM

@Humdee

Yeah, then people will know whether to flip their opinion based on whether its their team.

RealFakeNews July 9, 2019 8:08 PM

Why this rush/obsession to “assign blame”?

I don’t care who did it – the system is broken.

What is interesting is why they did it. The only advantage I see is real-time location tracking.

Am I the only one not surprised that nation states Do Bad Things(TM)?

David July 9, 2019 10:39 PM

@RealFakeNews

“Why this rush/obsession to “assign blame”?”

The old saying goes never let a crisis go to waste. Assigning blame is akin to jusfication for taking action against alleged perpetrators. Thus, an opportunist does not care who did him wrong he would only care where he directs the blame. The only usefulness for attribution is part of the furture prevention process, so I suspect they are more interested in finding out ‘how’ not ‘why’ nor ‘who’.

Gunter Königsmann July 10, 2019 12:50 AM

Multiple Telcos hacked and not millions of victims but only about 20? Everyone wonders whom to blame but no info if the victims had something in common? No speculation if they were after money, dissidents or the info what another state is about? Weird.

65535 July 10, 2019 4:11 AM

@ Sean

“…so far we can conclude that the state is the worst enemy of the people. The US gov gets call records (and recordings) by a threat of force (ie “laws”) and the China gov doesn’t even ask. Others fall somewhere in between. Security will suck by default as long as the state has any say in how data is accessed, managed and protected…”

I understand your sentiment.

It’s clear the NSA/CIA/FBI collect the greatest amount of US citizens and others Call Data Records [CDR] just by an NSL or similar method. That is noted by Techcrunch:

“The National Security Agency has for years controversially collected the call records of Americans from cell providers like AT&T and Verizon (which owns TechCrunch), despite the questionable legality.”-techcrunch

ht tps://techcrunch.com/2019/06/24/hackers-cell-networks-call-records-theft/

[Note Links broken to avoid bots and that Techcrunch is owned by Verizon]

Those TLAs are no angels when it comes to collecting CDRs. They are just as bad all the rest.

@ Clive Robinson

‘”…but Div said it was either APT 10, “or someone that wants us to go public and say it’s [APT 10].’ Somebody is a little wiser than most commentators. I would say if you get “textbook” code with no other changes or augmentations, be suspicious, be very suspicious.” – Clive R

Yes, I hear you. Some Text books are different than others.

@ Humdee

“…obviously missing from the article is a list of who the 20 people are…” -Humdee

Good point.

What if the “20 people” were not politicians or agents. What if they were security researchers or system Admins? I would guess that the NSA is not the only one “hunting system admins”. Maybe someone else is hunting them. Could be security researchers are fearful of exposure?

Both Techcrunch and Boing Boing point to the Cybereason report and also to FireEye. Both are interesting and in-depth.

I will say it is a letdown to find out this CDR theft has been going on since 2012 through 2019 or seven years. It is fairly old.

I did learn a fair amount from Cybereason on CDRs:

userLocationInformation: 1300622C1ECBE5
Latitude: 24.027
Longitude: -118.329
count: 20988
percent: 35
brand: Apple Inc
sdi: Not Available
city: Los Angeles
state: CA

[as depicted by cybereason’s example CDR]

Other interesting items by Cybereason include:

“…initial … attack was a malicious web shell that was detected on an IIS server, coming out of the w3wp.exe process… the web shell, later classified as a modified version of the “China Chopper” web shell, uncovered several attack phases… cmd exe…find exe…ipconfig exe..netstate exe… whoami exe..Modified “nbtscan”…Modified Mimikatz or maybemimi.exe…Dumping the SAM Hive from the Registry…threat actor relied on WMI and PsExec to move laterally… deployment of the PoisonIvy RAT [including] Registry Editor, Screenshot Grabber, Credential Stealer, Interactive Shell, File Manager with Upload and Download Support, Process Monitor, Keylogging and Various other Surveillance Features, control panel for PoisonIvy by Sam Bowne… with the trusted and signed Samsung tool (RunHelp.exe)A nullsoft installer package (NSIS) was created with a legitimate, signed Samsung tool in it… executed, the installer script within the NSIS package extracted the Samsung tool and added a fake DLL (ssMUIDLL.dll)…The DLL contains a PIVY stager…loaded by the Samsung tool… it decrypted a blob payload in the same folder, which contains the actual PIVY payload…able to achieve persistence by creating a rogue scheduled task… two other custom-built web shells…they launched reconnaissance commands, stole data, and dropped additional tools including portqry.exe, renamed cmd.exe, winrar, and the notorious hTran [fairly old reverse proxy -ed]…threat actor used winrar to compress and password-protect it…[unable to ID servers]…We [cybereason] were unable to find indications of connections to Dynamic.DNS2 and Dynamic.DNS3.This server is a key component in their ‘non-attributable’ infrastructure…” -cybereason

ht tps://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

I would say that the above is fairly interesting and could be correct. But, the failure to name the players and the hidden C2 [or C3] server is not so good. But, it is indeed a good piece.

I will say FireEye does a good of a job discribing the mulit-stage malware in two posts:

Breaking Down the China Chopper Web Shell – Part I, August 07, 2013 by Tony Lee, Ian Ahl, Dennis Hanzlik

ht tps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html

Breaking Down the China Chopper Web Shell – Part II August 09, 2013 by Tony Lee, Ian Ahl, Dennis Hanzlik

ht tps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html

I briefly took a look at Cybereason via Wikipedia:

“History- Cybereason was founded in 2012 in Tel Aviv, Israel by former cyber security experts from the Israel Defense Forces Unit 8200. The company moved its headquarters to Boston, MA in 2014”- Wikipedia

https://en.wikipedia.org/wiki/Cybereason

Wikipedia first notes or citations include the McClatchy site.

“How Israel became a leader in cyber security and surveillance
By Tim Johnson February 21, 2017 12:38 PM

[picture of founders]

‘”…Chief technology officer Yonatan Striem-Amit, left, and cofounder Lior Div of Cybereason, a Boston cybersecurity firm. Both are veterans of Unit 8200 of the Israel Defense Forces. Tim Johnson McClatchy… number of the Israeli companies have one thing in common: Their founders emerged from an elite division of the Israel Defense Forces known as Unit 8200, a legendary high-tech spy branch that also has become a prolific technology incubator…“You literally grow up with the unit’s motto of everything is possible. There is no such thing as impossible. This is beat into you since Day One,” said… Yonatan Striem-Amit, another Unit 8200 veteran who is Cybereason’s chief technology officer…Veterans of the unit – and other IDF units with a cyber function – form a fraternity of sorts that have seeded the cybersecurity world. That was apparent last week in the halls of the RSA cybersecurity conference, an annual gathering named for its corporate organizer that drew more than 43,000 participants to San Francisco’s Moscone Center. “There’s a joke around RSA that it’s the only place in the U.S. where you ask instructions in Hebrew and get the answer in Hebrew,” said Striem-Amit.”‘- Mcclatchy

ht tps://www.mcclatchydc.com/news/nation-world/national/national-security/article134016454.html

I took a quick glance at Cybereason’s Board and Advisors. They seem to all be well educated and some from the military:

“Robert Bigman, Former CISO for the Central Intelligence Agency (CIA)… Robert Bigman retired from the CIA after serving a 30-year distinguished career, where he developed technical measures and procedures to manage the nation’s most sensitive secrets…

“Gerhard Eschelbeck, Vice President Security and Privacy Engineering at Google, Gerhard Eschelbeck is Vice President Security and Privacy Engineering at Google, where he leads the teams that ensure data and systems security, as well as user privacy…”

“Mike Gordon, Deputy CISO at Lockheed Martin… Richard Rushing, CISO for Motorola Mobility…” -cybereason

ht tps://www.cybereason.com/management?__hstc=&__hssc=&hsCtaTracking=940b09f9-1a1e-44bc-b6de-42be0c7fb0e3%7Cd96ae5ef-3355-4ecf-acd7-0735cbe72ead

I would say that Cybereason is well staffed with very capible technicians – of military background. I found their writing to be convincing – but they are in business to sell a security product.

All and all it’s a very interesting read.

[Excuse all of mistakes I had to rush this out]

Petre Peter July 10, 2019 7:17 AM

I am wondering why the attackers didn’t try to make it a little more difficult for the authorities to figure out what they were after. With only 20 victims it should be relatively easy to find out the common thread. Once that is found maybe attribution becomes easier. However, for now, it seems like they don’t know for sure if the attacks were carried by nation states or a person’s basement.

Ismar July 11, 2019 4:26 AM

@Clive – I cannot believe I am saying this but this time I disagree with your analysis. Namely, I am of the opinion that you’re overthinking this and believe this to be a genuine China- sponsored attack . Why – the country’s that host the cell networks can simply ask the providers for this type of information instead of going to these lengths to obtain any information about the network users.
This is, unless, we are talking about a scenario similar to the one depicted in the movie Enemy of the State where a rogue cell of NSA operatives try to conduct an unauthorised operation to gain financial or some other benefit.
BTW – I always imagine you Clive as that retired NSA operative that gets involved and help save the day for the main protagonist ????.

Clive Robinson July 11, 2019 2:22 PM

@ Ismar,

I cannot believe I am saying this but this time I disagree with your analysis.

Whilst you might think it is China and I’m not saying it’s not, you have to remember their previous MO is not to go after individuals but organisations or even as some would claim bulk traffic by mucking up BGP (though anyone in the US could with little effort force traffic to route through China, Russia or Iran, but North Korea with very limited bandwidth would kind of stand out).

Likewise many major SigInt organisations in Five-Eyes and the like go for bulk not individuals, but more importantly they put in distance between them and their targets (think upstream routers etc) in part so you don’t know who they are specifically after and the targets don’t get to see anything untoward on their systems. The major SigInt are also “opportunists” that is they may not even go anywhere near their targets, they will instead monitor the sites that collect telemetry etc and filter it (remember CarrierIQ, or Googles intersite back hauls?). Because at the end of the day “collect it all” or using a bulk industrialised process is actually less expensive for them, plus it also gives them a “virtual time machine” so they can effectively go back from.an hour or two to decades.

Law Enforcment on the otherhand, are in most Western nations, still supposed to go get warrants for individuals from courts (Though the UK and US play slightly differently and Aus has now got on that band waggon).

Third world and other nations that have to “buy capability in” tend to go after limited numbers or individuals due to amongst other things “resourcing issues”.

Chuck this “only 20 individuals” back in the equation and see how it pans out for you.

I suspect privacy and other effectively Doxing issues asside, when you know who the “only 20 individuals” are it will reduce the potential APT candidates down.

You might even find it’s not a Nation State at all. If you think back HP once got paranoid and put surveillance on their entire board of directors.

But then the IC community are a game unto themselves and their relationship to SigInt agencies can be not just distant but strained. Part of the “bread and butter” of “The smoke and mirrors game” is to “make it look like another party”. In part for cover, in part to set up legands, and likewise run false flag operations for a whole host of reasons including getting “the other side” to suspect their own, or suspect the wrong individuals within their organisations.

But as certain Silicon Valley billionaires have more recently discovered despots with wealth will go after them any which way they can, just so the despot can protect their international image. Obviously highering PR agencies, settingbup faux charitable organisations, faux think tanks and paying off politicians is now nolonger sufficient for such despots…

What I will say other than “beware the overly obvious” is that firstly we don’t have sufficient knowledge/evidence and secondly some of these private security organisations have previous on making incorrect assessments.

As I point out from time to time, when such companies have a habit of blaiming a nation that the US is using as it’s latest target whipped up into an “exestential threat” Orwellian style. You have to syart raising an eyebrow, especially when the US only ever has one existential threat at a time from a list of four…

Anyone who does not pause for thought over what other countries not on that list of four might be doing, or why the list of four apparently take it in turns to be the target of the month, is probably going to be quite interested in this bridge I have for sale in London…

RealFakeNews July 12, 2019 7:30 AM

Aside from the propaganda value, unless we know who they were after, it’s pretty useless.

Here’s what we know:

  • Cell networks globally were/are attacked
  • All records from attacked provider accessed
  • How do they know they’re only after 20 or so people?

The only real use we can get from any of this, is how they attacked the networks, gained access, and gained persistence, so we can harden the networks.

I understand the “target of opportunity” when trying to pin blame on “country of the month”, but it doesn’t help us improve our security.

The fact that companies like FireEye are producing this report, makes me think that there is in fact a nation state behind this, and they’re up to no good.

Unless we start actually fixing the system, we’re just wasting our time. We may be watching them watch, but if they’re taking data, unless that data is poisoned, what’s the use?

I can think of many ways this is a non-story beyond the obvious of our networks are broken.

Let’s say we definitely 100% know who did it. What next?

Clive Robinson July 12, 2019 12:24 PM

@ RealFakeNews,

but it doesn’t help us improve our security.

If you mean ICTSec maybe, but…

The US has for some time know talked / threatened “going high order” / “going kinetic” over what they have in the past decided can be an excuse to make a lot of collateral damage in a very Orwellian way to any far off nation that they have decided it’s time to “bomb back to the stone ages”. Oh and Israel has apparently put this doctrine into practice thus “normalized it”.

But the US has recently anounced that they have been doing to another nation, what the US have claimed they would treat an act of war if carried out against the US.

None of this nonsense is in any way making us “more secure” infact the opposit.

The fact that the US is very obviously misrepresenting to the point of lying what is going on, is not just very concerning, it’s very likely that some idiot is going to issue a “Go Command” on false attribution, and that can not end well not just in the short term with major collateral damage, but in many places in the longer term the forming of more intense Anti-American sentiment, that the past 18years has done so much harm to not just the citizens of the US but many other nations as well.

So getting atribution right is rapidly becoming vital when it comes to “physical security”.

Like you I’d much rather we treated cyber activities as crimes and espionage, and get on with making things more secure as we have done for more than a millennia. It is at the end of the day “the least harm” way and generally the least costly compared to the likes of war.

But our current crop of politicians and their advisors apparently want to please all the worst aspects of the MIC and that is going to cost most citizens through their taxes, and for some through their loved ones. So I would personally rather let some criminals and enemy agents get away rather than go in guns blazing knowing full well casualties always happen on both sides and war bankrupts nations and their peoples for no gain.

stiggy July 12, 2019 1:14 PM

@Sean Security will suck by default

You seem to be confusing security with privacy. They aren’t the same.

Disclosure isn’t going to improve security. If anything it will do the opposite. And attribution is hard. So hard, in fact, that we should all be reluctant to believe anyone’s attributions about any cyber attack. Clearly any nation state actor is going to be top notch in repudiation tradecraft.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.