Suspected Chinese Hackers Infiltrate Network of Global Telecom Carriers

Marco Green
June 27, 2019

Last year, the Cybereason Nocturnus team discovered an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with the Chinese-affiliated threat actor APT10.

Chinese hackers have been stealing information from major worldwide telecommunications companies in order to spy on high-profile people, according to a report Tuesday from Cybersecurity firm Cybereason. "It is a government that has capabilities that can do this kind of attack", he told Reuters.

Div later presented a step-by-step breakdown of the breach at a cybersecurity conference in Tel Aviv in the same session that the heads of United States and British cyber intelligence units and the head of Israel's Mossad spy agency spoke.

"Right now we're still tracking them", he said. "We assume there are many others that have been hacked that have services with other telcos".

The Boston-based firm said telecoms companies in multiple countries were affected, in regions including Asia, Africa, the Middle East and Western Europe.

The hackers reportedly swiped information including location data, billing information, text message records and call detail records (CDRs).

Div of Cybereason said his firm contacted 12 telecommunications companies regarding the attacks and discussed details of the exposure.

The attack, which was apparently uncovered some nine months ago, compromised internal IT networks of its victims, allowing attackers customisation of the infrastructure.

"It's important to keep in mind that even though the attacks targeted specific individuals, any entity that possesses the power to take over the networks of telecommunications providers can potentially leverage its unlawful access and control of the network to shut down or disrupt an entire cellular network as part of a larger cyber warfare operation", the researchers wrote.

"We've concluded with a high level of certainty that the threat actor is affiliated with China and is likely state sponsored", the researchers wrote Tuesday.

Div, who is presenting his findings at the Cyber Week conference in Tel Aviv, provided scant details about who was targeted in the hack, saying that Cybereason had been called in to help an unidentified cellular provider past year and discovered that the hackers had broken into the firm's billing server, where call records are logged. He said the company, founded by former members of Israel's military intelligence corps, has "debriefed the intelligence community", though he declined to describe any reactions.

Cybereason says attackers wouldn't have been able to track targets in real time, although they would have amassed historical geolocation data that could have been used to track their movements.

The company said on previous occasions it had identified attacks it suspected had come from China or Iran but it was never certain enough to name these countries. "China is firmly opposed to cyber attacks in any form", he said at a regularly scheduled press briefing in Beijing.

"We managed to find not just one piece of software, we managed to find more than five different tools that this specific group used", Div said.

Other reports by Click Lancashire

Discuss This Article