[BreachExchange] Cybercrooks built their own VPN to hack into global telcos

[Destry Winant]

https://www.techradar.com/news/cybercrooks-built-their-own-vpn-to-hack-into-global-telcos

Cybercriminals have managed to infiltrate over a dozen mobile carriers
around the world and gain complete control of their networks without
their knowledge according to new research from Cybereason.

Last year, the Cybereason Nocturnus team discovered an advanced,
persistent attack targeting global telecommunications providers
carried out by a threat actor using tools and techniques commonly
associated with the Chinese-affiliated threat actor APT10. These bad
actors still control the network today and have even built a VPN for
their convenience.

The security firm detailed its findings in a new report titled
Operation Soft Cell: A worldwide campaign against telecommunications
providers which explains how hackers targeted phone providers in
Europe, Asia, Africa and the Middle East. The hackers have been
infecting multiple mobile carriers since 2012 and they used their
control of these networks to steal hundreds of gigabytes of data on
customers.

- How a piece of Brazilian malware became a global cybercrime export
- EU diplomatic messages intercepted by hackers
- Hackers target UK cybersecurity universities

Head of security research at Cybereason, Amit Serper explained that
the cybercriminals behind these attacks also have highly privileged
access in addition to customer data, saying:

"They have all the usernames and passwords, and created a bunch of
domain privileges for themselves, with more than one user. They can do
whatever they want. Since they have such access, they could shut down
the network tomorrow if they wanted to."

Operation Soft Cell

According to Cybereason, no US mobile carriers were affected by the
attacks but since the campaign has yet to be shutdown, this could
possibly change in the future.

The cybercriminals responsible did have the power to disrupt the
networks they infiltrated but instead chose to use their access for
espionage as opposed to disruption. Once access was gained to a mobile
carriers' internal servers, the attackers were able to access customer
records including geolocation data, call logs and text message
records.

Despite having access to data on millions of people, the hackers
instead chose to only steal data from fewer than 100 targeted victims.
Vice president of security practices at Cybereason, Mor Levi believes
that they likely targeted high-profile victims from governments and
militaries around the world.

According to the firm's research, the attackers exploited older
vulnerabilities to gain access to over a dozen mobile carriers around
the world. They then used their access to create accounts for
themselves with escalated privileges and hid among the infected mobile
carriers actual staff.

The sophisticated and targeted nature of the attack has led Cybereason
to believe that the attackers were backed by a nation-state namely
China as digital forensics point to the country's elite hacking group
APT10 being behind the attacks.

The potential implications of an attack this large that went on for so
long are tremendous and we'll likely learn more as Cybereason, the
affected mobile carriers and governments around the world investigate
the matter further.