Chinese-affiliated hackers compromised 25 global telecommunications companies for over 7 years
Note: An earlier version of this article included a teaser image with the names and logos of many the world's top telecommunications companies. It was not our intention to imply that those specific companies were the ones compromised (this information has not been released) and so that image has been replaced.
Leading cyber-security firm Cybereason has today published a report on their identification of a disturbing 7-year-long coordinated attack against more than two dozen global telecommunications companies. The attack was conducted with methods and tools consistent with those used by the Chinese Ministry of State Security, and were likely aimed at retrieving crucial details such as Call Detail Records (CDRs).
Dubbed "Operation Soft Cell" by Cybereason, the attacks were traced back as early as 2012, but may have been active even earlier than that. The attackers used tools to steal credentials from computers and map the carriers' networks. Once credentials were successfully stolen, they were used to create domain-level user accounts with high levels of access to sensitive data. The attacks were conducted with APT10, a threat actor originating from China and believed to be favored by the Chinese Ministry of State Security.
Telecommunications companies don't actually keep the contents of calls and text messages in the CDR, but that does not mean that the data stolen is not useless — in fact, far from it. CDRs contain metadata regarding the call, including physical location, origin, destination, duration, and device-specific information. This information can be used by state actors to track individuals of interest (e.g. politicians, foreign intelligence operatives, etc.).
Even more alarming, according to the report, is the fact that the attackers had complete access to the telecommunications infrastructures for years before being identified by the firm first in 2018. Although outwardly less bombastic than the US strikes that were alleged to have disabled Iran's missile defense systems last week, the strategy of infiltrating and laying dormant for years, waiting for the right time to strike is actually quite similar, and a reminder of the vulnerabilities our technology gives us.