Infamous Chinese APT 10 hackers compromised over 10 Telecom networks around the world under the campaign called Operation Soft Cell and stealing various sensitive data including call records, PII, and attempting to steal all data stored in the active directory.
APT 10 Threat actors known as one of the sophisticated hacking group in the world and the group mostly targeting commercial activities including aviation, satellite, and maritime technology, industrial factory automation, finance, telecommunications and consumer electronics, computer processor technology, information technology services.
In 2018, Researchers from Cybereason initially identified this persistent attack that was primarily targeting the global telecommunication networks using various advanced Tools, Techniques, and procedures (TTPs) that never seen before.
Researchers refer this attack as “massive-scale” espionage which conducted against international Telecommunication Networks to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.
Threat actors from ATP 10 involved in this massive campaign nearly past two years, and they keep on changing the attack patterns along with new activity every quarter.
Researchers believe that APT 10 is entirely Chinese state-sponsored threat groups and their primary focus in telecom networks to obtain CDR data (call logs, cell tower locations, etc.)
Threat actors started gathering information about the network from the vulnerable publicly-facing server by executing a web shell.
Later, they attempted to compromise the most valuable critical assets, including Database servers, billing servers, and the active directory.
Several months later, researchers uncovered a second wave attack on Telecom networks with similar infiltration attempts but modified version of web shell and surveillance activities.
The initial indication was malicious web shell that identified on an IIS server with the process name w3wp.exe which is later confirmed that the web shell is a modified version of the China Chopper, a Web shell that initially discovered in 2012 used by Chinese threat actors to attack the enterprise web servers to gain remote access.
Threat actors launching the series of PowerShell commands on a compromised machine to enumerate the information about network architecture, users, and active directory.
Attackers also using nbtscan, a NetBIOS nameserver scanner to identify available NetBIOS name servers and scan the internal IP range of targeted Telecommunication network.
In order to maintain access to the compromised assets, threat actors deploy the dominant PoisonIvy RAT (PIVY), a Remote Access Trojan used by various APT groups incluuding APT10, APT1, and DragonOK.
PIVY is a very powerful RAT let hackers take complete control of the targeted Telecom networks machine and it has some important features including,
According to Cybereason, One of the most valuable pieces of data that telecommunications providers hold is Call Detail Records (CDRs). CDRs are a large subset of metadata that contains all details about calls, including,
1.Source, Destination, and Duration of a Call
2.Device Details
3.Physical Location
4.Device Vendor and Version
“Having this information becomes particularly valuable when nation-state threat actors are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement”, Cybereason said.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.
Also Read:
Chinese Hackers from APT 10 Hacking Group Charged for a Cyber Attack on NASA
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…