Saturday, May 17, 2025
HomeHacksChinese APT 10 Group Hacked Nearly 10 Telecom Networks and Stealing Users...

Chinese APT 10 Group Hacked Nearly 10 Telecom Networks and Stealing Users Call Records, PII, Credentials, Email Data and more

Published on

SIEM as a Service

Follow Us on Google News

Infamous Chinese APT 10 hackers compromised over 10 Telecom networks around the world under the campaign called Operation Soft Cell and stealing various sensitive data including call records, PII, and attempting to steal all data stored in the active directory.

APT 10 Threat actors known as one of the sophisticated hacking group in the world and the group mostly targeting commercial activities including aviation, satellite, and maritime technology, industrial factory automation, finance, telecommunications and consumer electronics, computer processor technology, information technology services.

In 2018, Researchers from Cybereason initially identified this persistent attack that was primarily targeting the global telecommunication networks using various advanced Tools, Techniques, and procedures (TTPs) that never seen before.

- Advertisement - Google News

Researchers refer this attack as “massive-scale” espionage which conducted against international Telecommunication Networks to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.

Threat actors from ATP 10 involved in this massive campaign nearly past two years, and they keep on changing the attack patterns along with new activity every quarter.

Attack pattern changing every quarter

Researchers believe that APT 10 is entirely Chinese state-sponsored threat groups and their primary focus in telecom networks to obtain CDR data (call logs, cell tower locations, etc.)

How Does This Attack Start on Telecom Networks

Threat actors started gathering information about the network from the vulnerable publicly-facing server by executing a web shell.

Later, they attempted to compromise the most valuable critical assets, including Database servers, billing servers, and the active directory.

Several months later, researchers uncovered a second wave attack on Telecom networks with similar infiltration attempts but modified version of web shell and surveillance activities.

The initial indication was malicious web shell that identified on an IIS server with the process name w3wp.exe which is later confirmed that the web shell is a modified version of the China Chopper, a Web shell that initially discovered in 2012 used by Chinese threat actors to attack the enterprise web servers to gain remote access.

Threat actors launching the series of PowerShell commands on a compromised machine to enumerate the information about network architecture, users, and active directory.

Attackers also using nbtscan, a NetBIOS nameserver scanner to identify available NetBIOS name servers and scan the internal IP range of targeted Telecommunication network.

Maintain the Compromised Network Access

In order to maintain access to the compromised assets, threat actors deploy the dominant PoisonIvy RAT (PIVY), a Remote Access Trojan used by various APT groups incluuding APT10APT1, and DragonOK.

PoisonIvy RAT

PIVY is a very powerful RAT let hackers take complete control of the targeted Telecom networks machine and it has some important features including,

  • Registry Editor
  • Screenshot Grabber
  • Credential Stealer
  • Interactive Shell
  • File Manager with Upload and Download Support
  • Process Monitor
  • Keylogging and Various other Surveillance Features

According to Cybereason, One of the most valuable pieces of data that telecommunications providers hold is Call Detail Records (CDRs). CDRs are a large subset of metadata that contains all details about calls, including,

1.Source, Destination, and Duration of a Call
2.Device Details
3.Physical Location
4.Device Vendor and Version

“Having this information becomes particularly valuable when nation-state threat actors are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement”, Cybereason said.

Hacking Tools Used for this Campaign – Cybereason

  1. Web Shells
    • A modified version of the China Chopper web shell was used for initial compromise.
    • Custom-built web shells were used for later phases of the attack.
  2. Reconnaissance Tools
    • A modified version of Nbtscan was used to identify available NetBIOS name servers locally or over the network.
    • Multiple Windows built-in tools were used for various tasks, including whoami, net.exeipconfignetstatportqry, and more.
    • WMI and PowerShell commands were used for various tasks.
  3. RAT
    • PoisonIvy was used to maintain access across the compromised assets.
  4. Credential Dumpers
    • A modified version of Mimikatz was used to dump credentials stored on the compromised machines.
    • A PowerShell-based Mimikatz was also used to dump credentials stored on the compromised machines.
  5. Lateral movement
    • WMI was used for lateral movement.
    • PsExec was also used for lateral movement.
  6. Connection Proxy
    • A modified version of hTran was used to exfiltrate stolen data.
  7. Compression tool
    • Winrar was used to compress and password-protect stolen data.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

Chinese APT 10 Hackers Attack Government and Private Organizations Through Previously Unknown Malware

Chinese Hackers from APT 10 Hacking Group Charged for a Cyber Attack on NASA

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Printer Company Distributes Malicious Drivers Infected with XRed Malware

Procolored, a printer manufacturing company, has been found distributing software drivers infected with malicious...

Frigidstealer Malware Targets macOS Users to Harvest Login Credentials

An macOS users, a new information-stealing malware dubbed FrigidStealer has emerged as a formidable...

SSH Auth Key Reuse Uncovers Advanced Targeted Phishing Campaign

A meticulously orchestrated phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been...