Espionage Campaign Steals Massive Amounts Of Data From Cell Network Providers

Security researchers at Cybereason have uncovered a massive espionage campaign involving the theft of call records from hacked cell network providers to conduct targeted surveillance on individuals of interest. The hackers systematically broke into more than 10 cell networks around the world over the past seven years to obtain all data stored in the active directories including usernames, passwords, billing data, call detail records, credentials, email servers, geo-locations of users and more. According to the researchers, the tools and TTPs used are commonly associated with the Chinese threat actor APT10. 

The hackers originally gained access into one of the cell networks by exploiting a vulnerability on a server to gain a foothold onto the provider’s internal network. From there, the hackers would continue to exploit each machine they came across by stealing credentials to gain deeper access. The affected cell networks are based in Europe, Africa, the Middle East and Asia. None were thought to be in the U.S., according to the researchers that discovered this campaign. 

Experts Comments: 

Ben Goodman, SVP at ForgeRock:

“This massive hacking campaign perfectly exemplifies how hackers using stolen credentials can move laterally throughout each compromised cell provider’s bank of call detail records to exfiltrate mass amounts of data on each target. In fact, the threat group infiltrated the deepest segments of the providers’ networks, including some isolated from the internet, according to the researchers that discovered this campaign. This highlights the need for organizations to leverage ‘Zero Trust’ security strategies that implement real-time, contextual and continuous security that identify anomalous internal and external behavior then prompt further action, such as identity verification methods like multi-factor authentication (MFA), to put more barriers between hackers and sensitive information.”  

lia Kolochenko, Founder and CEO at ImmuniWeb: 

“In my experience, many large telcos today struggle to maintain a decent level of cybersecurity due to tough competition and limited budgets, let alone a continuous increase of new hardware and infrastructure mushrooming in their premises to stay up2date with the industry progress. Consequently, some don’t even have any form of up2date asset inventory, privilege segregation or internal security monitoring.  Given the volume of valuable data of their clients, telcos are an attractive low-hanging fruit for cybercriminals. Thus the report and its findings are unfortunately not surprising, a thorough investigation will likely detect a sophisticated and undetected intrusion into any virtually any large telco in the world. There is nothing their clients can do about this but presume that all communication channels are insecure and encrypt all their traffic. This will however not save from such things as unwarranted tracking by a breached telco.” 

Saryu Nayyar, CEO at Gurucul: 

“This attack is a great example of what today’s organisation’s face on the cybersecurity front. Sophisticated nation-state attackers and organised criminal hackers are armed with advanced hacking tools that can easily exploit vulnerabilities and penetrate almost any network. Once in, they can leverage unprotected privileged accounts to remain undetected on the network – sometimes for years. 

Left unchecked, too much excess privileged access creates an unwieldy threat landscape. Understanding where privileged accounts are, how to restrict these privileges and how to monitor access to them is critical. However, manually maintaining and auditing privileged account entitlements is far beyond the scope of most organisations. 

This is where data science and machine learning is invaluable. With these advanced technologies, cybersecurity teams can discover who has privileged access with privileged entitlements that may have escalated after provisioning or exist within applications and unstructured data. Managing privileged access effectively originates with privileged access discovery at the entitlement level as it defines privileged access, not the account level. This enables security leaders to manage, monitor and control privileged access with optimal effectiveness and reduced risk. In this case, machine learning could have analysed the data already in hand. This would have revealed suspicious activities including accessing inappropriate files, how and where they were being moved or copied and other non-typical access.”  

Dr. Guy Bunker, CTO at Clearswift:

“Call records have always been a rich source of sensitive information, so it is of little surprise that it continues to be a target for cyber-criminals. Having such details opens individuals up to potential blackmail based on what may be found in the data.  

“We have seen the knock-on impact of very sensitive data being exposed in data breaches before, such as the Ashley Madison data breach as well as the 56 Dean Street HIV clinic data leak. These resulted in organisations starting to understand the tertiary effects of data breaches on their employees. Several organisations modified their HR policies and put in place processes for employees relating to how they could help individuals who have found themselves in the predicament. Today, after the recent hacking of cell networks, organisations should do the same. They need to prepare for individuals to come and ask for help should they find themselves being blackmailed. A process needs to be in place as to what could be done. For example, do the police need to be involved, or are there other personal security matters which come to light with the data which has been revealed?  

“For organisations who have personnel involved as a side effect of a data breach, the tertiary impact, there is little that can be done to prevent future attacks other than being able to offer help through HR in supporting the individual. For those organisations who collect the critical information, there is, as always, a need to protect it. In the case of call records, this can be billions of items. In this case, the attack had been going on for years, so the question would be around how you would monitor access to the data and ensure that only the correct people and systems have access. Comprehensive access control and monitoring is essential. Furthermore the vent points also need to be monitored to watch for unusual behavior, such as large quantities of information being passed, or unusual times for data transfer. Monitoring for unusual data transfer is the last line of defense, as it means that the attackers are already inside the network.  

“More importantly, there needs to be protection to prevent them getting in in the first place. Solutions such as regular patching of applications and the operating system and security solutions to prevent phishing, business email compromise and other methods of social engineering are important. Also vital are the usual intrusion detection systems and intrusion detection prevention solutions and regular penetration testing of externally facing applications and systems. Furthermore, organisations need processes in place to ensure that action is taken in a timely manner for any vulnerabilities which are found.”