Israeli-U.S. cybersecurity firm Cybereason Nocturnus released a report on Monday claiming that "nation-state" hackers had compromised the systems of at least ten cellular carriers around the world to steal metadata related to specific users.
The attack was identified earlier this year and targeted telecommunications providers but based on the data available to the security firm, "Operation Soft Cell" has been active since at least 2017, though some evidence suggests even earlier activity.
The attack was aiming to obtain CDR records of a large telecommunications provider. The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.
The tools and TTPs used are commonly associated with the Chinese threat actor APT10.
“For this level of sophistication it’s not a criminal group. It is a government that has capabilities that can do this kind of attack,” Cybereason said.
China has repeatedly denied involvement in any hacking activity.
Cybereason declined to name the companies affected or the countries they operate in.
FireEye and Crowdstrike, the cybersecurity firms that have painted the most complete profile of APT10, couldn't confirm Cybereason's findings, but say they have seen broad targeting of cellular providers including by Russian and Iranian state-sponsored hackers, both for tracking individuals and for bypassing two-factor authentication, intercepting the SMS messages sent to phones as a one-time passcode.