Mobile Operators Worldwide Hit By Espionage Attacks

Matthew Broersma,
HSBC, security, hacking

Researchers say an ongoing state-backed hacking campaign has made off with gigabytes of data on targeted individuals

Researchers have uncovered an attack on mobile telecommunications providers that affected more than 10 companies around the world and resulted in the theft of gigabytes of data on highly targeted individuals.

The ongoing operation appears to be aimed at stealing personal and corporate information related to individuals in government, law enforcement and politics, said US-Israeli firm Cybereason on Monday night.

They said the tools and techniques used indicated the attacks may have been carried out by a threat group known as APT10, which is thought to be affiliated with Chinese military intelligence.

“The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10,” Cybereason said in an advisory.


European targets

The Boston-based firm said telecoms companies in multiple countries were affected, in regions including Asia, Africa, the Middle East and Western Europe.

It first detected the intrusion on the systems of a client telecoms firm in 2018, with its investigation indicating the attacks may have begun in 2017 or earlier.

The attackers had gained complete administrative control over the target’s network, becoming in effect a shadow IT department, Cybereason said.

This access was used to access a call detail record (CDR) database and steal data related to 20 specific individuals.

The metadata collected, including SIM identifiers, call records and which cell tower a phone connected to at given times, allowed the attackers to build up a detailed picture of the individuals’ activities.

Cybereason found indicators leading it to believe that at least nine other telcos may have been similarly compromised, but didn’t release details on the companies affected.

Government link

The attackers were highly sophisticated, abandoning one line of attack when it was discovered, only to return months later with different tools and techniques.

They changed their methods regularly every quarter.

Cybereason said it had found more than five different tools used in the attack that have also been associated with APT10, including the China Chopper web shell, the Poison Ivy remote-access trojan and the nbtscan scanning tool.

While the firm acknowledged that it could not rule out a copycat attack, it said it was able to say with a “high level of certainty” that the attacks were affiliated with China and were likely to be backed by the state.

The US indicted two alleged members of APT10 in December, and it and other Western countries have linked the group with attacks aimed at stealing intellectual property.

The group has previously been linked to attacks on UK companies and on the Ministry of Defence.