Security researchers have uncovered a major new two-year state-sponsored attack against global telcos, most likely linked to China’s Ministry of State Security (MSS).
Boston-based vendor Cybereason claimed that the group used tools and techniques associated with APT10 to obtain Call Detail Records (CDRs): metadata including source, destination, and duration of calls, physical location and device details that could help them spy on individuals.
“Having this information becomes particularly valuable when nation-state threat actors are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement,” it argued in a lengthy blog post.
“Operation Soft Cell” has been ongoing since at least 2017, targeting multiple global telcos to compromise individuals in over 30 countries worldwide.
“The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. The threat actor attempted to compromise critical assets, such as database servers, billing servers, and the active directory. As malicious activity was detected and remediated against, the threat actor stopped the attack,” Cybereason explained.
“The second wave of the attack hit several months later with similar infiltration attempts, along with a modified version of the web shell and reconnaissance activities. A game of cat and mouse between the threat actor and the defenders began, as they ceased and resumed their attack two more times in the span of a four-month period.”
Among the tools used by the attackers were: the China Chopper web shell, initially detected on an IIS server; a modified Nbtscan tool designed to find NetBIOS name servers; a modified version of mimikatz to steal credentials; fileless techniques like WMI and PsExec to move laterally; the PoisonIvy RAT; and more.
Care was taken throughout to maintain persistence and stay hidden.
“The threat actor abused the stolen credentials to create rogue, high-privileged domain user accounts which they then used to take malicious action. By creating these accounts, they ensured they would maintain access between different waves of the attack,” Cybereason explained.
“Once the threat actor regains their foothold, they already have access to a high-privileged domain user account. This significantly reduces the ‘noise’ of having to use credential dumpers repeatedly, which helped them evade detection.”