Hackers believed to have ties to China’s government infiltrated the systems of at least 10 telecommunications companies around the globe, swiping swaths of data on the companies and targeted individuals, according to an investigation by cybersecurity firm Cybereason.
Cybereason identified numerous global carriers believed to have been compromised by the scheme, which in at least one incident “targeted 20 military officials, dissidents, spies and law enforcement—all believed to be tied to China—and spanned Asia, Europe, Africa and the Middle East,” the Wall Street Journal wrote.
The hackers reportedly swiped information including location data, billing information, text message records, and call detail records (CDRs). The compromised information did not include the recordings of calls or text of messages, but could nonetheless paint an intimate picture of a person’s life, indicating who they were in contact with and when, according to Cybereason.
Cybereason believes that the attack bears close resemblances to prior attacks by APT 10, a hacking ground linked to China’s government.
“We’ve concluded with a high level of certainty that the threat actor is affiliated with China and is likely state sponsored,” Cybereason wrote in its report summary. “The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS).”
Last year, federal prosecutors indicted two Chinese nationals who were allegedly members of APT 10 working for an arm of China’s intelligence service, penetrating dozens of companies. APT 10 is known for attacking so-called managed service providers, firms that provide data infrastructure to other companies and are particularly valuable targets for anyone interested in their clients.
Per the Journal:
Cybereason Chief Executive Lior Div gave a weekend, in-person briefing about the hack to more than two dozen other global carriers. For the firms already affected, the response has been disbelief and anger, Mr. Div said.
“We never heard of this kind of mass-scale espionage ability to track any person across different countries,” Mr. Div said.
Cybereason said that the hackers had “access to the carriers’ entire active directory, an exposure of hundreds of millions of users,” the Journal wrote, and they were reportedly able to peruse those databases as though they were employees of the telecom companies. The attackers used a variety of techniques including the creation of admin accounts and using virtual private networks (VPNs) to mask where they were based. Some of the activity was detected as far back as 2012, and the hackers apparently were able to hone their techniques over time.
“For this level of sophistication it’s not a criminal group,” Cybereason CEO Lior Div told Reuters. “It is a government that has capabilities that can do this kind of attack.”
The identities of the 20 targeted individuals were not detailed in media reports, though according to TechCrunch, Cybereason said that some of the compromised individuals had hundreds of gigabytes of granular data. In one case, TechCrunch reported, the attackers were able to gain access to a network by exploiting a vulnerability on an internet-connected web server, then stole credentials to penetrate deeper into the telecom’s network.
“They would exploit one machine that was publicly accessible through the internet, dump the credentials from that machine, use the credentials stolen from the first machine and repeat the whole process several times,” Cybereason’s head of security research, Amit Serper, told TechCrunch.
“This time as opposed to in the past we are sure enough to say that the attack originated in China,” Cybereason wrote in a statement to CNBC. However, company officials also noted to various outlets that it is possible the attackers could have simply left a trail to Chinese, Hong Kong, and Taiwanese IP addresses as a form of misdirection. It was either APT 10 “or someone that wants us to go public and say it’s [APT 10],” Div told TechCrunch.
“The threat actor managed to infiltrate into the deepest segments of the providers’ network, including some isolated from the internet, as well as compromise critical assets,” Cybereason wrote in the report. “Our investigation showed that these attacks were targeted, and that the threat actor sought to steal communications data of specific individuals in various countries.”
The report continued:
“The data exfiltrated by this threat actor, in conjunction with the TTPs and tools used, allowed us to determine with a very high probability that the threat actor behind these malicious operations is backed by a nation state, and is affiliated with China. Our contextualized interpretation of the data suggests that the threat actor is likely APT10, or at the very least, a threat actor that shares, or wishes to emulate its methods by using the same tools, techniques, and motives.”
Last year, President Donald Trump’s administration accused China of violating an Obama-era agreement in 2015 that was designed to limit cyber-espionage by both countries. China has steadfastly denied that it engages in any such operations. A spokesperson for China’s Foreign Ministry told Reuters, “We would never allow anyone to engage in such activities on Chinese soil or using Chinese infrastructure.”