Security researchers have uncovered a cyber espionage campaign dating back to 2017, with evidence suggesting it could have been earlier, which involved the hacking of 10 mobile network operators (MNOs) and invisibly tracking their users for months on end.
In the report published by Cybereason, researchers said that hackers were able to exfiltrate all raw data received and transmitted from a user's phone, allowing them to track a person's location and steal personally identifying information including login credentials, call records, billing information and more.
The hackers assumed control of an MNO by first exploiting a vulnerability in an internet-connected web server and using that to work their way into the network. They then moved laterally, exploiting each machine by stealing credentials using a Mimikatz variant until they assumed control of the domain controller which granted full access to the network with high privileges.
The hackers then created a string of accounts from which they launched malicious code. They were able to track an MNO's users without detection and without needing to distribute any malware to the user's device, resulting in them knowing everything about a user without actually hacking them.
Cybereason said this type of attack on MNOs, which form part of a nation's critical infrastructure due to our dependence on the technology, can usually be attributed to a nation-state.
A UK parliamentary committee of MPs and Lords said late last year that it's "impossible" to protect critical infrastructure from cyber attacks like WannaCry; mitigation is fast becoming the only method of protection.
"The threat actor mainly sought to obtain CDR data (call logs, cell tower locations, etc.) belonging to specific individuals from various countries," the report said. "This type of targeted cyber espionage is usually the work of nation state threat actors."
It said nearly a quarter of all critical infrastructure organisations have been hit by nation-state attacks and believe that this is no exception.
"We've concluded with a high level of certainty that the threat actor is affiliated with China and is likely state sponsored," read the report. "The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS)."
"There are multiple indicators that suggest that this campaign is a Chinese threat actor. Not just the RAT, but additional tools which can be attributed to a specific group called APT 10," said Mor Levi, vice president, global security practice at Cybereason. "A disclaimer to this is that those tools were leaked a few years ago, and anyone with a little bit of effort can "get their hands on those tools" and make it look like APT 10 is behind that."
The exfiltrated data of call detail records (CDRs) is some of the most valuable available to a nation-state, according to Cybereason.
While many hackers set their sights on large organisations for financial reward, having mountains of CDRs enables a nation-state to understand who an individual is speaking to, where they're travelling and what devices they're using.
This becomes especially useful when targeting high-value individuals such as intelligence officers, politicians or members of law enforcement agencies.
"This attack has widespread implications, not just for individuals, but also for organizations and countries alike," said the report. "This is another form of cyber warfare being used to establish a foothold and gather information undercover until they are ready to strike."
