Nation-state hackers launch massive attack on mobile networks

China is believed to be behind the years-long hack that allowed it know everything about the victims

Mobile network hack

Security researchers have uncovered a cyber espionage campaign dating back to 2017, with evidence suggesting it could have been earlier, which involved the hacking of 10 mobile network operators (MNOs) and invisibly tracking their users for months on end.

In the report published by Cybereason, researchers said that hackers were able to exfiltrate all raw data received and transmitted from a user's phone, allowing them to track a person's location and steal personally identifying information including login credentials, call records, billing information and more.

The hackers assumed control of an MNO by first exploiting a vulnerability in an internet-connected web server and using that to work their way into the network. They then moved laterally, exploiting each machine by stealing credentials using a Mimikatz variant until they assumed control of the domain controller which granted full access to the network with high privileges.

The hackers then created a string of accounts from which they launched malicious code. They were able to track an MNO's users without detection and without needing to distribute any malware to the user's device, resulting in them knowing everything about a user without actually hacking them.

Cybereason said this type of attack on MNOs, which form part of a nation's critical infrastructure due to our dependence on the technology, can usually be attributed to a nation-state.

A UK parliamentary committee of MPs and Lords said late last year that it's "impossible" to protect critical infrastructure from cyber attacks like WannaCry; mitigation is fast becoming the only method of protection.

"The threat actor mainly sought to obtain CDR data (call logs, cell tower locations, etc.) belonging to specific individuals from various countries," the report said. "This type of targeted cyber espionage is usually the work of nation state threat actors."

It said nearly a quarter of all critical infrastructure organisations have been hit by nation-state attacks and believe that this is no exception.

"We've concluded with a high level of certainty that the threat actor is affiliated with China and is likely state sponsored," read the report. "The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS)."

"There are multiple indicators that suggest that this campaign is a Chinese threat actor. Not just the RAT, but additional tools which can be attributed to a specific group called APT 10," said Mor Levi, vice president, global security practice at Cybereason. "A disclaimer to this is that those tools were leaked a few years ago, and anyone with a little bit of effort can "get their hands on those tools" and make it look like APT 10 is behind that."

The exfiltrated data of call detail records (CDRs) is some of the most valuable available to a nation-state, according to Cybereason.

While many hackers set their sights on large organisations for financial reward, having mountains of CDRs enables a nation-state to understand who an individual is speaking to, where they're travelling and what devices they're using.

This becomes especially useful when targeting high-value individuals such as intelligence officers, politicians or members of law enforcement agencies.

"This attack has widespread implications, not just for individuals, but also for organizations and countries alike," said the report. "This is another form of cyber warfare being used to establish a foothold and gather information undercover until they are ready to strike."

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

23 Mar 2021
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

22 Apr 2021
What is hacktivism?
hacking

What is hacktivism?

22 Apr 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021

Most Popular

REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Samsung Galaxy S21 Ultra review: Ultra in every sense of the word
Mobile Phones

Samsung Galaxy S21 Ultra review: Ultra in every sense of the word

22 Apr 2021