Cybereason, an Israeli-US security firm based in Boston, has reported that certain nation-state hackers managed to compromise the systems of no less than ten cellular carriers across the globe to steal metadata of specific users. Without naming anyone, the company claims that the targeted users and the attackers both belong to China.
The campaign is dubbed as Operation Softcell and it is regarded as a relatively sophisticated and large-scale espionage attempt bearing all the traces of the involvement of Chinese state-sponsored hackers. Carriers affected in this attack are located in the Middle East, Asia, Africa, and Europe. Surprisingly, the US or North American carriers haven’t been targeted so far.
The company released a report in which the attack was described as an “advanced, persistent attack,” and a “game of cat and mouse between the threat actor and the defenders.” The threat actors have acquired data of customers since 2012.
The attacker/threat actor probably wants to steal all the data stored in the active directory and compromise every single “username and password in the organization along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more,” Cybereason stated in its blog post.
Until now, the attackers have gained control of and stolen hundreds of gigabytes of customer data, which means that this data breach is a massive one and it is still active. As soon as the attack on database and billing servers as well as the active directory was detected, the attacker(s) stopped the attack and resumed it after some time.
Cybereason noted the intrusion firstly in 2018 but they believe that the campaign has been active since at least 2017.
The head of security research at Cybereason, Amit Serper, claims that the hackers have accumulated a massive array of usernames and passwords and developed a range of domain privileges to obtain privilege escalation on not one but multiple devices.
“They can do whatever they want. Since they have such access, they could shut down the network tomorrow if they wanted to,” Serper told Cnet.
The firm’s researchers say they first detected an intrusion in a customer’s network a year ago, including evidence that the intruders had been present for at least another year— dating the campaign back to 2017.
The consequences of a nation-state managing to dig into the “deepest segments of providers’ network, including some isolated from the internet”, are quite serious as hackers can easily compromise “critical assets and eavesdrop on sensitive conversations of specific individuals around the world and feed the information to the intelligence agencies they are working for.
Watch what else researchers at Cybereason have to say about the attack: