Nation-state hackers launch massive attack on mobile networks

China is believed to be behind the years-long hack that allowed it know everything about the victims

Mobile network hack

Security researchers have uncovered a cyber espionage campaign dating back to 2017, with evidence suggesting it could have been earlier, which involved the hacking of 10 mobile network operators (MNOs) and invisibly tracking their users for months on end.

In the report published by Cybereason, researchers said that hackers were able to exfiltrate all raw data received and transmitted from a user's phone, allowing them to track a person's location and steal personally identifying information including login credentials, call records, billing information and more.

The hackers assumed control of an MNO by first exploiting a vulnerability in an internet-connected web server and using that to work their way into the network. They then moved laterally, exploiting each machine by stealing credentials using a Mimikatz variant until they assumed control of the domain controller which granted full access to the network with high privileges.

The hackers then created a string of accounts from which they launched malicious code. They were able to track an MNO's users without detection and without needing to distribute any malware to the user's device, resulting in them knowing everything about a user without actually hacking them.

Cybereason said this type of attack on MNOs, which form part of a nation's critical infrastructure due to our dependence on the technology, can usually be attributed to a nation-state.

A UK parliamentary committee of MPs and Lords said late last year that it's "impossible" to protect critical infrastructure from cyber attacks like WannaCry; mitigation is fast becoming the only method of protection.

"The threat actor mainly sought to obtain CDR data (call logs, cell tower locations, etc.) belonging to specific individuals from various countries," the report said. "This type of targeted cyber espionage is usually the work of nation state threat actors."

It said nearly a quarter of all critical infrastructure organisations have been hit by nation-state attacks and believe that this is no exception.

"We've concluded with a high level of certainty that the threat actor is affiliated with China and is likely state sponsored," read the report. "The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS)."

"There are multiple indicators that suggest that this campaign is a Chinese threat actor. Not just the RAT, but additional tools which can be attributed to a specific group called APT 10," said Mor Levi, vice president, global security practice at Cybereason. "A disclaimer to this is that those tools were leaked a few years ago, and anyone with a little bit of effort can "get their hands on those tools" and make it look like APT 10 is behind that."

The exfiltrated data of call detail records (CDRs) is some of the most valuable available to a nation-state, according to Cybereason.

While many hackers set their sights on large organisations for financial reward, having mountains of CDRs enables a nation-state to understand who an individual is speaking to, where they're travelling and what devices they're using.

This becomes especially useful when targeting high-value individuals such as intelligence officers, politicians or members of law enforcement agencies.

"This attack has widespread implications, not just for individuals, but also for organizations and countries alike," said the report. "This is another form of cyber warfare being used to establish a foothold and gather information undercover until they are ready to strike."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

22 Sep 2020
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021
Report: Security staff excluded from app development
cyber security

Report: Security staff excluded from app development

20 Jan 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

20 Jan 2021

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021