Persistent Cyber Attack Targeted Networks for Years

Telecoms operators have been subject to a sustained and systematic series of cyber attacks by a group of state-sponsored hackers since at least 2012, claims ex-military security consultants working for Cybereason. The hackers appear to be working for the Chinese state, and their goal was to obtain data about high-value targets and lay the groundwork for taking control of networks.

Despite not formally being recognized as a utility, no-one can argue that the communications industry does not provide critical infrastructure to businesses, consumers and governments alike.  That makes operators a prime target. Reports about Operation Soft Cell state that this infrastructure has already been under attack for many years, though the risks have not been widely reported by the mainstream media.

What Is Operation Soft Cell?

The advanced attacks appear to have been carried out using tools usually associated with Chinese hackers such as menuPass, who have been active since 2009.  Cybereason suspect that the attacks are sponsored by the Chinese state.

The goal of the attack was to obtain CDRs, billing data, user geo-location information and more. Furthermore, the attackers appear to be trying to create VPN access into the networks.

How Did It Work?

Playing the long-game, the attackers worked in waves, abandoning an attack once it was identified and stopped, but returning to the attack months later with new tools.

The attacks started with deployment of a web shell (a remote access trojan), loaded into public-facing servers to allow remote access to assets such as the server’s file system.

Each time an attack was identified and stopped, the threat actor would halt the attack, but only for a while before implementing modified versions of the web shell and its reconnaissance activities.

Attack phase iterations spanned months. These attacks are referred to as ‘persistent’ or ‘low and slow’.

Once they had gained access, the hackers initiated a series of commands to obtain information about the compromised machine, the network architecture, user information and the active directory.

Modified versions of NBTSCAN and MIMIKATZ were used to identify NetBIOS name servers across the organization. Following the reconnaissance phase, they were then used to dump credentials stored on compromised machines.  The attack even dumped the SAM hive, which contains password hashes, from the Windows Registry.

Once the network was mapped and credentials obtained, the attackers were able to move laterally to compromise critical IT assets, including database and production servers, gaining full control of the Domain Controller and installing their tools over multiple assets.

Using stolen credentials to create user accounts with high user access privileges, they ensured their access would be maintained between attack waves, making it harder to detect.  In parallel, the hackers deployed PoisonIvy RAT, which can take complete control of a machine (including credential stealing and keylogging).

The attackers also attempted to hide the contents of stolen data through use of winrar binaries to compress and protect them with passwords, most of which were found in recycle bins.

Motivation

Attacks initiated by a nation state against large organizations will generally seek to obtain intellectual property and sensitive client data.  In this respect, CDR data is extremely valuable, providing information and insights about a targets’ movements, behavior and interactions.

The potential to take control of a network raised the stakes even higher.

Conclusions

Operation Soft Cell was meticulously orchestrated and patiently executed. Though it is likely that the hackers work for the Chinese state, the perpetrators of such a sophisticated attack could have left a deliberate trail of breadcrumbs to mislead those hunting for answers and solutions. This confirms the importance of security international co-operation between businesses and governments.

You can learn more about Cybereason’s investigation by looking here.

Rob Chapman
Rob Chapman
Rob is the Chief Operating Officer of the Risk & Assurance Group (RAG). He is responsible for the planning and execution of each RAG event. Rob's goal is to bring together professionals from across the industry and drive RAG's agenda forward.

Rob started working for RAG full time in 2018, having served as Chair on a voluntary basis for the previous four years.

Before joining RAG, Rob was a senior consultant at Cartesian. He has worked in revenue assurance and billing roles for TalkTalk, Verizon Business, Energis and Hutchinson 3G.

Related Articles

Get Our Weekly Newsletter by Email