Operation Soft Cell: A worldwide Cyber-espionage campaign targeting telecommunications operators

By Amit Serper, Mor Levi, Assaf Dahan, Cybereason

In 2018, 30% of telecommunications companies reported that confidential customer data had been stolen following an attack. These telecommunications operators have experienced significant growth by offering a highly available service and have thus become providers of essential infrastructures.

Groups of hackers, in particular affiliated to nation-States, seek opportunities to attack this type of organisation in very elaborate and complex operations to take advantage of these attacks, seizing strategic assets and collecting confidential data.

Last year, the Cybereason Nocturnus research team demonstrated that such a group had been specifically targeting telecommunications operators for at least seven years. Cybereason conducted a comprehensive "post-incident” review of these attacks which allowed them to identify changes in the models of attack and the quarterly frequency of these activities.

This multi-phase attack focussed on acquiring very valuable data from specific targets, allowing them to take complete control of the network. The group at the origin of this attack sought primarily to obtain "CDR” data (call logs, locations of the relay towers, etc.) belonging to individuals from different countries.

Key points

  • Cybereason identified an advanced persistent attack targeting telecommunications operators that had been running for years, shortly after its deployment in one client’s environment.
  • According to the information available to Cybereason, the "Soft Cell” operation has been active since at least 2012, although some data indicate that this group of hackers had taken action even earlier against telecommunications operators.
  • The perpetrators attempted to steal all the data stored in the Active Directory to compromise the confidentiality of all the company’s user names and passwords, as well as other data allowing personal identification, such as billing data, call logs, user names, email servers, user geolocation, and much more.
  • The tools and techniques used (TTP) are generally associated with groups from China.
  • During the persistent attack, the hackers worked in several phases, abandoning the attack once it had been detected and blocked, but returning to it a few months later with new tools and techniques.

Security recommendations for telecommunications operators

  • Add an additional layer of security for web servers. For example, use WAF (Web Application FW) to prevent minor attacks on Internet-oriented Web servers.
  • Expose as few systems or ports to the Internet as possible. Ensure that all exposed Web servers and Web services have appropriate patches.
  • Use an EDR tool to provide good visibility and immediate response capabilities when very serious incidents are detected.
  • Regularly and proactively seek to identify assets of a confidential and sensitive nature in your environments.

In summary, although these attacks were directed against specific individuals, it is important not to forget that any entity having the power to take control of telecommunications operators’ networks could potentially take advantage of this unauthorised network access and disrupt or shut down an entire cellular network in a much larger cyberwar operation.