Orignally posted on cnet.com:
“Hacking a company that
has mountains of data that is always updating is the holy grail for an
intelligence agency.”
BY
Security researchers
have found that hackers have infiltrated more than a dozen mobile carriers
since 2012.
Hackers have quietly infiltrated more than a
dozen mobile carriers around the world, gaining
complete control of networks behind the companies' backs. The attackers have
been using that access over the last seven years to steal sensitive data, but
have so much control they could shut down communications at a moment's notice,
according to Cybereason, a security company based in Boston.
On Tuesday, Cybereason said it's been investigating the campaign, dubbed Operation Soft Cell,
through which hackers targeted phone providers in Europe, Asia, Africa and the
Middle East. The hackers infected multiple mobile carriers since 2012, gaining
control and siphoning off hundreds of gigabytes of data on people.
It constitutes a potentially massive breach -- with more fallout still to come
-- as companies across different industries struggle with how to protect their
customers' data. The hackers also had highly privileged access to do more than
steal information.
"They have all the usernames and passwords,
and created a bunch of domain privileges for themselves, with more than one
user," said Amit Serper, Cybereason's head of security research.
"They can do whatever they want. Since they have such access, they could
shut down the network tomorrow if they wanted to."
Watch this: Hackers have been quietly stealing gigabytes of
call...
2:44
Gigabytes of data theft
Cyberattacks on infrastructure are a national
security concern -- hackers have found ways to shut down electrical power grids and access dams. The US Department of Homeland
Security has created its own center for dealing with attacks on infrastructure, which it
acknowledged as a frequent target for hackers. If an attacker shut down phone
networks, it could cause massive disruption.
Serper said he didn't find any US mobile
carriers that were affected, but the hacking campaign is ongoing and it's
possible that could change.
A person familiar with plans at one of the major
US mobile carriers said the company is aware of the cyberattacks and is taking
precautions against a potential breach.
The hackers stole
hundreds of gigabytes of call data records, which included sensitive
information like real-time geolocation.
Cybereason
While they were able to disrupt network signals,
the hackers were more focused on espionage than disruption, Cybereason
found.
After gaining access to mobile carriers'
internal servers, the hackers would have access to call data records on
hundreds of millions of customers. That would provide information like
geolocation data, call logs and text message records.
While the hackers had access to the data of
millions of people, they had stolen data from fewer than 100 targeted victims.
The attackers likely targeted high-profile victims involved in government and
the military, said Mor Levi, Cybereason's vice president of security practices.
That data could update in real time, as long as
mobile carriers didn't catch on that they'd been hacked.
"Hacking a company that has mountains of
data that is always updating is the holy grail for an intelligence
agency," Serper said. "It's not just about gaining that access; it's
about maintaining it."
How the attacks happened
Cybereason's researchers found that the
attackers gained access to more than a dozen mobile carriers by exploiting old
vulnerabilities, like malware hidden in a Microsoft Word file or finding an
exposed public server belonging to a given company.
Once they slipped in, the malware then spreads
by searching for all the computers on the same network and attempting to gain
access by flooding them with login attempts. It continues to spread as long as
the credentials work, until the hackers reach the caller data records
database.
USING
THAT ACCESS, THE HACKERS ALSO CREATED ACCOUNTS FOR THEMSELVES WITH ESCALATED
PRIVILEGES, ESSENTIALLY HIDING AMONG THE COMPANY'S ACTUAL STAFF. EVEN IF THE
COMPANIES TAKE MEASURES TO CLOSE UP THEIR VULNERABILITIES, THE HACKERS COULD
REMAIN IN THE NETWORK FOR YEARS AFTER THE FIX.
Because the attack method was this sophisticated
and targeted, Cybereason researchers believe the hackers were backed by a
nation-state. All digital forensics signs point to China. The malware used, the
method of attack and the servers the attacks are on are tied to APT10, China's elite hacking group.
A Chinese foreign ministry spokesperson said
that China "firmly opposes" cyberattacks using the nation's
infrastructure, and denied involvement with the hacks.
"Second, with the cyberspace being a highly
virtual one filled with multiple actors whose behaviors are difficult to trace,
one should present abundant evidence when investigating and determining the
nature of a cyberspace activity," the Chinese embassy said in an email.
"Making groundless accusations are neither professional nor
responsible."
But there's no smoking gun tying China's hackers
to this campaign. Despite the attackers using Chinese malware and servers, it's
possible they're attempting to frame APT10, researchers said.
"Because the tools that we saw were leaked
and are publicly available to anyone who's looking to get those tools, it could
be anyone who wants to look like APT10," Levi said.
What to do
Cybereason said it's reached out to all the
affected mobile carriers, though it's unclear what fixes they may have
implemented to stop the intrusion.
Levi recommended that all mobile carriers
strictly monitor their internet-facing properties, especially servers. Mobile
carriers should also look for accounts that have high-privilege access.
Serper said the investigation is ongoing, and he
continues to find more companies hacked by this group by the day. The hackers'
servers are still up and running, he noted.
For people being tracked through this data
theft, there's almost nothing they can do to protect themselves from espionage,
he noted. Victims wouldn't even know that their call data records were being
stolen from mobile carriers.
"There is no residue on your phone. They
know exactly where you are and who you're talking to, and they didn't install
any piece of code on your phone," Serper said.
Originally published June 24.
Update, June 25, 6:56 a.m. PT: Adds that US mobile carriers didn't respond to requests for comment. At 9:02 a.m. PT: Notes that a US mobile carrier is taking precautions against the attacks. At 1:09 p.m. PT: Adds a response from the Chinese embassy.
Update, June 25, 6:56 a.m. PT: Adds that US mobile carriers didn't respond to requests for comment. At 9:02 a.m. PT: Notes that a US mobile carrier is taking precautions against the attacks. At 1:09 p.m. PT: Adds a response from the Chinese embassy.