Hackers hit over a dozen mobile carriers and could shut down networks, researchers find

[The AchieVer]

Hackers hit over a dozen mobile carriers and could shut down networks, researchers find

“Hacking a company that has mountains of data that is always updating is the holy grail for an intelligence agency.”

 

Security researchers found that hackers had infiltrated more than a dozen mobile carriers since 2012.

James Martin/CNET

Hackers have quietly infiltrated more than a dozen mobile carriers around the world, gaining complete control of networks behind the companies' backs. The attackers have been using it over the last seven years to steal sensitive data, but have so much control, they could shut down communications at a moment's notice, according to Cybereason, a security company based in Boston. 

 

Security researchers from the company on Tuesday said they've been investigating the campaign it's named Operation Softcell, where hackers targeted phone providers in Europe, Asia, Africa and the Middle East. The hackers infected multiple mobile carriers since 2012, gaining control and siphoning off hundreds of gigabytes of data on people. 

 

It marks a potentially massive breach -- with more fallout still to come -- as companies across different industries struggle with how to protect their customers' data. The hackers also had high-privileged access to do more than steal information.

 

"They have all the usernames and passwords, and created a bunch of domain privileges for themselves, with more than one user," said Amit Serper, Cybereason's head of security research. "They can do whatever they want. Since they have such access, they could shut down the network tomorrow if they wanted to." 

Gigabytes of data theft

Cyberattacks on infrastructure are a national security concern, as hackers have found ways to shut down electrical power gridsand access water dams. The US Department of Homeland Security has created its own center for dealing with attacks on infrastructure, which it acknowledged was a frequent target for hackers. If an attacker shut down phone networks, it could cause massive disruption and communication issues.

Serper said he didn't find any US mobile carriers that were affected, but the hacking campaign is ongoing and it's possible that could change. While they were able to disrupt network signals, the hackers were more focused on espionage than disruption, Cybereason found. 

The hackers stole hundreds of gigabytes of call data records, which included sensitive information like real-time geolocation.

Cybereason

After gaining access to mobile carriers' internal servers, the hackers would have access to call data records on hundreds of millions of customers. That would provide information like geolocation data, call logs and text message records.

 

While the hackers had access to millions of people's data, they had only stolen data from less than 100 highly targeted victims. The attackers likely targeted high-profile victims involved in government and the military, said Mor Levi, Cybereason's vice president of security practices.

That data could update in real time, as long as mobile carriers didn't catch on that they had been hacked. 

 

"Hacking a company that has mountains of data that is always updating is the holy grail for an intelligence agency," Serper said. "It's not just about gaining that access; it's about maintaining it." 

How the attacks happened

Cybereason's researchers found that the attackers gained access to more than a dozen mobile carriers by exploiting old vulnerabilities, like malware hidden in a Microsoft Word file or finding an exposed public server belonging to the company. 

Once they slipped in, the malware then spreads by searching for all the computers on the same network and attempting to gain access by flooding them with login attempts. It continues to spread as long as the credentials work, until the hackers reach the caller data records database. 

 

Using that access, the hackers also created accounts for themselves with escalated privileges, essentially hiding among the company's actual staff. Even if the companies take measures to close up its vulnerabilities, the hackers could still remain in the network for years after the fix.

 

Because the attack method was this sophisticated and targeted, Cybereason researchers believe the hackers were backed by a nation-state. All digital forensics signs point to China -- the malware used, the method of attack and the servers the attacks are on are tied to APT10, China's elite hacking group.

But there's no smoking gun tying the nation-state's hackers to this hacking campaign. Despite the hackers using Chinese malware and servers, it's possible the attacker is a group attempting to frame APT10, researchers said.

 

"Because the tools that we saw were leaked and are publicly available to anyone who's looking to get those tools, it could be anyone who wants to look like APT10," Levi said.   

What to do

Cybereason said it's reached out to all the affected mobile carriers, though it's unclear what fixes they may have implemented to stop the intrusion. 

 

Levi recommended that all mobile carriers strictly monitor their internet-facing properties, especially servers. Mobile carriers should also look for accounts that have high privilege access.

Serper said the investigation is on-going, and he continues to find more companies hacked by this group by the day. The hackers' servers are still up and running, he noted.

 

For people being tracked through this data theft, there's almost nothing they can do to protect themselves from espionage, he noted. Victims wouldn't even be able to know that their call data records are being stolen from mobile carriers. 

 

"There is no residue on your phone. They know exactly where you are and who you're talking to, and they didn't install any piece of code on your phone," Serper said. 

 

 

Source

[steven36]

6 hours ago, The AchieVer said:

All digital forensics signs point to China

 

That's  not what Reuters  reported  at all  they said

 

Quote

The company said on previous occasions it had identified attacks it suspected had come from China or Iran but it was never certain enough to name these countries.

 

https://www.reuters.com/article/us-cyber-telecoms-cybereason/hackers-hit-global-telcos-in-espionage-campaign-cyber-research-firm-idUSKCN1TQ0BC

 

 Meaning this group  don't even know even tough they been investigating this since  last year 2018 so most likely they will never know who did it if the story is even true, and most of this report is based on things they claim that happen in 2018 not 2019.

 

Interesting discussion here on it, about they show no real proof  and a guy here says they was more like 2 effected by this

https://old.reddit.com/r/netsec/comments/c52xwq/operation_soft_cell_a_worldwide_campaign_against/

 

One news site says 10 and the next says 12  showing they don't really know ether,  but  Forbes and Bloomberg are being careful  by saying alleged attack and they claim it  happened meaning these news sites don't necessarily believe it but they just want to get the story out just like every other news site in the  west reported it.

 

To much holes in this story  and they left any real proofs out  to make it sound  factual. They don't even name none of the Telcos  that it happen too in there report  witch is fishy because every time a company gets breached its all over the news.  The way Bloomberg wrote it  sounds like it justifies what  the USA is doing to China  .

 

Cybereason sells endpoint   there ran  by group of guys who worked  for the  Israel Defense Forces Unit 8200  it ran by spys ,Nsa wannabes .

https://www.mcclatchydc.com/news/nation-world/national/national-security/article134016454.html

 

I wonder how much the USA government paid them to put this out when there in the middle of a trade war with China? Only telemetry they have is from desktops  in there report witch is really strange since there investigating telcos . It seems the CIA  was right about people paying for there own surveillance because most all security software  companies  is ran by people who worked for some government as a spy if you check them out.