Hackers, believed to be backed by the Chinese government, have broken into the systems of more than a dozen global telecom companies in over 30 countries and stolen large amounts of personal and corporate data “since at least 2017”, according to research conducted by US-Israeli cyber security firm Cybereason. The multi-wave campaign, which is ongoing, focuses on obtaining data of specific, high-value targets and has resulted in a complete takeover of networks. It mainly seeks to obtain CDR data (call logs, cell tower locations, etc.) of specific individuals from various countries. Cybereason said it first identified the attacks earlier this year. It declined to name the individuals or the telecom firms, citing privacy concerns, but warned that though the campaign is targeted at specific individuals, any entity that has the power to take over the networks of telecom providers can potentially use it to shut down or disrupt an entire cellular network as part of a larger cyber warfare operation.
‘Tools and methods consistent with those of Chinese actors’
This type of targeted cyber espionage, the firm said, was usually the work of nation state actors. It said it had concluded with a “high level of certainty” that the hackers in this case are affiliated with China and that the operation is likely state-sponsored because the tools and methods used were consistent with those of several Chinese “threat actors”, specifically with APT10, which is believed to operate on behalf of the Chinese Ministry of State Security (MSS). It said the attackers worked in waves — abandoning one thread of attack when it was detected and stopped, before returning to it months later with new tools and methods. While it could not entirely rule out a “copy-cat” scenario, where another actor might masquerade as APT10 to thwart investigators, “we find this option to be less likely in light of our analysis of the data”, Cybereason said.
Cybereason’s security recommendations
Cybereason recommended that telcos adopt the following measures to thwart attacks on their systems:
- Add an additional security layer for web servers. For example, use WAF (Web Application FW) to prevent trivial attacks on Internet-facing web servers.
- Expose as few systems or ports to the internet as possible. Make sure that all web servers and web services that are exposed are patched.
- Use an EDR tool to give visibility and immediate-response capabilities when high-severity incidents are detected.
Proactively hunt in your environment for sensitive assets periodically.
US indicted two alleged APT10 members in December
The latest cyberoffensive puts the spotlight back on APT10 after two of its alleged members — Zhu Hua and Zhang Shilong — were indicted by the US Department of Justice in December in connection with cyberattacks and intellectual property (IP) theft, including conspiracy to commit computer intrusions, conspiracy to commit wire fraud and aggravated identity theft. The DoJ said the two worked for a company in China called Huaying Haitai Science and Technology Development Company and acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau. It said that APT10 had begun the attacks in 2006, targeting “more than 45 technology companies in at least a dozen US states and US government agencies”. Then, in 2014, the group began targeting managed service providers (MSPs) in 12 countries, rather than attacking organisations directly.