This story has been wandering around twitter for a few days, mostly because of who it’s being attributed to. Whether it is actually APT10 (“The Chinese”) is debatable. What’s also interesting to me is that the telcos are gathering this intelligence all the time, but no-one seems to object…:
A global cyberattack campaign believed to be the work of a nation-state group has hit telcos and mobile carriers around the world in an effort to gather intelligence on specific individuals.
The attackers stole files that show the communication history and travel patterns of a targeted individual, according to a new report by Cybereason. The attack campaign has been active since at least 2017, with some evidence going back as far as 2012, and has been incredibly effective in giving the attackers control of the victim’s networks.
Some hundreds of millions of telecommunications customers and thousands of the providers’ employees have been affected by the attack campaign.
“They had complete control of the network and were, in effect, the shadow IT group for the [victim] company,” says Amit Serper, senior director, head of security research for Cybereason Nocturnus, which today published a report on the attacks by Serper, Mor Levi, and Assaf Dahan, called “Operation Soft Cell — A Worldwide Campaign Against Telecommunications Providers.”
The attack began with a malicious Web shell sitting on a Web page. When a targeted employee visited that page, reconnaissance began. “They would compromise the network, do a credential dump, scan the network, and hop from server to server,” Server says of the attack. “Finally they were able to get domain admin credentials. They were then able to create their own accounts, some of which were domain admins themselves.”