A multi-year attack carried out by Chinese hackers was exposed recently, and the scope of it is beyond anything previously seen in nation-state cyber espionage.
Hacking group APT10, a notorious team that is widely believed to have Chinese government support, is believed to have compromised at least 10 major global carriers and used their networks to track and spy on high-profile business leaders and members of foreign governments. What makes this cyber espionage incident unique is that the Chinese hackers appear to have been following their targets as they move from country to country, hopping from one breached network to another as needed. While this ability is not new, this kind of mass scale has not been seen before.
What are the Chinese hackers after?
This has been going on for at least several years, and APT10 is believed to still be active across multiple networks. The networks that were compromised were not named, but are located in Africa, Asia, Europe and the Middle East.
The cyber espionage operation was discovered by security firm Cybereason of Boston, who believed that this compromise has been ongoing since at least 2017. The company’s Nocturnus team caught an attack on an unnamed telecom client, which came in waves over the course of six months and was aimed at exfiltrating the client’s call detail records (CDR). The attackers used tools and techniques commonly associated with known Chinese hackers and would switch approaches once detected, retreating and coming back some weeks or months later with a new method.
Dubbed “Operation Soft Cell” by Cybereason, the attack did not have the footprint of the usual cyber crime committed for cash. The Chinese hackers were looking to track the movements of 20 specific individuals, and moved on to other compromised telecom networks in following them. Cybereason did not specifically name APT10, but said that all of the available information points to the group as the most likely culprit. The security firm described the group’s approach as a “total takeover”, giving them low-profile but complete access to the target networks so that they could commit cyber espionage over an extended period of time.
Call detail records are not generally a profitable form of data to focus on, nor do they allow attackers to listen in on calls. The cyber espionage use is basically limited to tracking an individual’s movements and knowing who they are talking to, pointing to a nation-state actor at the back of the attack.
The Wall Street Journal reports that the 20 individuals that were targeted consist of Chinese government dissidents as well as spies, military figures and law enforcement officials of other nations that have ties to China. None of the figures that were targeted reside in or travel to mainland China. It is important to note that the cyber espionage efforts of the Chinese hackers weren’t necessarily limited to just 20 people, however; that’s just the count that Cybereason came up with from their own network. It’s unknown as of yet how much activity took place across the other nine networks that were compromised.
APT10’s history of cyber espionage
APT10 is one of about 20 APT (Advanced Persistent Threat) groups that are all believed to be backed by a nation-state’s resources. APT10, which is also sometimes referred to as Menupass, has been in operation since at least 2009. The Chinese hackers have been focused on exfiltrating trade secrets and various types of government intelligence from Western nations and from Japan, targeting both private businesses and government agencies.
APT10 has been caught in the midst of similar attacks in recent years. In December, two high-profile Chinese hackers known to be associated with the group were indicted by the United States government for targeting US companies over the course of the prior 12 years. Known APT10 cyber espionage targets over the past decade include Japanese universities, manufacturing companies in Japan and Europe and IT service providers throughout the world.
CDR data not only allows for a person’s movements to be tracked and their personal and professional networks to be mapped, but also provides insights into their habits and personal patterns. For example, attackers can infer when someone tends to go to sleep and wake up or the specific routes they choose to take in their regular travels.
Protecting against advanced nation-state threats
APT groups are the world’s most potent hacking threat, as they have resources and protections that standard criminal groups don’t. Most of the world’s threat actors don’t have anything like the mass scale espionage ability demonstrated here. Fortunately, they also tend to have little reason to attempt to penetrate the average small-to-medium business.
As Ben Goodman, SVP of global business and corporate development at ForgeRock, noted:
“This massive hacking campaign perfectly exemplifies how hackers using stolen credentials can move laterally throughout each compromised cell provider’s bank of call detail records to exfiltrate mass amounts of data on each target. In fact, the threat group infiltrated the deepest segments of the providers’ networks, including some isolated from the internet, according to the researchers that discovered this campaign. This highlights the need for organizations to leverage ‘Zero Trust’ security strategies that implement real-time, contextual and continuous security that identify anomalous internal and external behavior then prompt further action, such as identity verification methods like multi-factor authentication (MFA), to put more barriers between hackers and sensitive information.”
Cybereason concluded their detailed report on the APT10 telecoms incident with some general recommendations for any organization concerned about a threat actor of this nature. Their advice was as follows:
- Ensure that additional security layers are present for web servers, such as a web application firewall (WAF) or a third-party web application security service;
- Review all ports to ensure that only those that are absolutely necessary are connected to the internet, and ensure that all web servers and services that are in use are regularly patched;
- Use an endpoint detection and response (EDR) tool as a source of immediate response capability when a major incident is detected; and
- Have a cybersecurity policy of proactive review of the network environment for sensitive and vulnerable assets.
As demonstrated by this attack, APT groups nearly always lead with spear phishing. These groups generally take a “low and slow” approach, looking to thoroughly infiltrate the network without being detected and monitor it for months or even years at a time. In addition to the sensible policies listed above, encryption of sensitive information and multi-factor authentication (MFA) provide potent protection against these attacks. The best defense against spear phishing is awareness, however; fostering an appropriate cybersecurity culture in which employees are unlikely to click on suspicious links in the first place. Part of that is training, and part of it may be implementing something like a DMARC solution to screen incoming emails before they are passed on.