A security company has reported on a prolonged cyberattack against global phone networks, where hackers have apparently collected data related to phone conversations — from call duration to the identity of the parties and even the physical location of the device. A report from Cybereason, an international cyber-security company with its headquarters in Boston, says it has worked with one telecoms provider to combat five waves of attacks that have taken place since 2018, and went on to discuss these attacks with more than 12 other networks.
Cybereason detailed how the attacks took place. Apparently targeting Call Detail Records, or CDRs, the attackers turned to a familiar system to gain entry to private networks — malware activated through opening infected files sent by email. Once access had been acquired, the security firm believes the target was to obtain the CDRs. The company claims it saw the attack, then worked to stop a further four attacks over the next few months, where each time the tools had been reworked, and applied using different techniques.
The networks targeted have not been named, but apparently the CDR data collected was related to users in Asia, the Middle East, and in Europe. Cybereason says the attacks were persistent and advanced, and attempts were made to steal usernames, passwords, call records, billing information, geo-location data, and more. The security company said this was, “a complete takeover of the network.”
While it does not name the networks, or go into detail about how much (if any) information was stolen, state if there is any danger to subscribers, or mention if the network in question has a need to inform affected users, it does not waste time identifying what it believes is the source of the attacks. Cybereason says the tools and methods used suggest it’s the work of APT10, a hacking group apparently linked to the Chinese Ministry of State Security.
APT10 has been in the news before. At the end of 2018 it was identified as being behind cyberattacks against Managed Service Providers in the U.K., a simultaneous attack in Japan, and elsewhere around the world, which became known as Operation Cloud Hopper. At the time, investigators at PwC said the large scale operation was, “only likely to reflect a small portion of APT10’s global operations.” It’s entirely possible the latest attack, named Operation Soft Cell by Cybereason, is also only one aspect of APT10’s current operations. It has also been blamed for recent cyber espionage activity in the Philippines. The Chinese Foreign Ministry responded when at the end of 2018, the U.S. indicted two Chinese citizens that were allegedly members of APT10, stating it does not support, nor participate in, the stealing of commercial secrets.
What is the likelihood you have been the accidental target in these attacks? Cybereason says it does not believe U.S. subscribers or networks have been affected. Additionally, it does not link the attacks with the ongoing accusations against Huawei, or any alleged security threat from the company. Finally, it’s worth understanding that Cybereason is a cyber-security company, and sells a platform designed to, “tell companies if they are under attack, the attack’s impact, and how to immediately stop the threat.” While there is no reason to doubt Cybereason’s report and findings, it will be keen to promote its services to other companies in this time of heightened fear over network security.