Nation-state hackers launch massive attack on mobile networks

China is believed to be behind the years-long hack that allowed it know everything about the victims

Mobile network hack

Security researchers have uncovered a cyber espionage campaign dating back to 2017, with evidence suggesting it could have been earlier, which involved the hacking of 10 mobile network operators (MNOs) and invisibly tracking their users for months on end.

In the report published by Cybereason, researchers said that hackers were able to exfiltrate all raw data received and transmitted from a user's phone, allowing them to track a person's location and steal personally identifying information including login credentials, call records, billing information and more.

The hackers assumed control of an MNO by first exploiting a vulnerability in an internet-connected web server and using that to work their way into the network. They then moved laterally, exploiting each machine by stealing credentials using a Mimikatz variant until they assumed control of the domain controller which granted full access to the network with high privileges.

The hackers then created a string of accounts from which they launched malicious code. They were able to track an MNO's users without detection and without needing to distribute any malware to the user's device, resulting in them knowing everything about a user without actually hacking them.

Cybereason said this type of attack on MNOs, which form part of a nation's critical infrastructure due to our dependence on the technology, can usually be attributed to a nation-state.

A UK parliamentary committee of MPs and Lords said late last year that it's "impossible" to protect critical infrastructure from cyber attacks like WannaCry; mitigation is fast becoming the only method of protection.

"The threat actor mainly sought to obtain CDR data (call logs, cell tower locations, etc.) belonging to specific individuals from various countries," the report said. "This type of targeted cyber espionage is usually the work of nation state threat actors."

It said nearly a quarter of all critical infrastructure organisations have been hit by nation-state attacks and believe that this is no exception.

"We've concluded with a high level of certainty that the threat actor is affiliated with China and is likely state sponsored," read the report. "The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS)."

"There are multiple indicators that suggest that this campaign is a Chinese threat actor. Not just the RAT, but additional tools which can be attributed to a specific group called APT 10," said Mor Levi, vice president, global security practice at Cybereason. "A disclaimer to this is that those tools were leaked a few years ago, and anyone with a little bit of effort can "get their hands on those tools" and make it look like APT 10 is behind that."

The exfiltrated data of call detail records (CDRs) is some of the most valuable available to a nation-state, according to Cybereason.

While many hackers set their sights on large organisations for financial reward, having mountains of CDRs enables a nation-state to understand who an individual is speaking to, where they're travelling and what devices they're using.

This becomes especially useful when targeting high-value individuals such as intelligence officers, politicians or members of law enforcement agencies.

"This attack has widespread implications, not just for individuals, but also for organizations and countries alike," said the report. "This is another form of cyber warfare being used to establish a foothold and gather information undercover until they are ready to strike."

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021
Preparing for AI-enabled cyber attacks
Whitepaper

Preparing for AI-enabled cyber attacks

22 Jul 2021