Back to Newsroom

Cybereason Uncovers Massive State-Sponsored Espionage Operation Leveraging Privately Owned, Critical Infrastructure Companies

Jun 25, 2019

Cybereason, creators of the leading Cyber Defense Solution, today unveiled results from ‘Operation Soft Cell,’ an investigation into a massive, advanced espionage campaign targeting nearly a dozen global telecommunications providers. Cybereason’s nearly year-long investigation discovered commercial, privately owned critical infrastructure companies are tools being used in state-sponsored espionage and cyber war.

“The operation against cellular providers is at a massive scale. This advanced attack used a low-n-slow attack paradigm which circumvents almost all detection capabilities in the market today,” according to Lior Div, Cybereason’s CEO and co-founder. “This isn’t a smash and grab campaign to steal money or social security numbers. These hackers have very specific motives and are running a highly targeted, persistent operation to own the networks and track a very targeted list of high-profile individuals on different continents.”

The state-sponsored adversaries stole personally identifiable information such as billing data, call detail records and credentials. The damage to the targeted individuals can go all the way to fully tracking of locations, meetings and texts. Hundreds of gigabytes of call data records were stolen each time the hackers exfiltrated data.

“This isn’t one breach, but a series of sophisticated and targeted breaches. What is really troubling is this is an example of being hacked and not knowing it because the victims aren’t aware and have no way to trace the attack,” said Mor Levi, Cybereason, Vice President, Global  Security Services.

Operation Soft Cell Key Takeaways:

  • Operation Soft Cell is a global, nation state-backed operation against multiple cellular providers that has been underway for years. Hacker carrying out the low and slow attack can circumvent
    existing detection technologies on the market today and be found only with very specific mo monitoring and correlation capabilities.
  • With this campaign, attackers completely took over the IT network and were able to customize the IT infrastructure for their convenience, complete with their own VPN inside of the network.
  • The attackers exfiltrated complete active directory databases, compromising every username and password. In addition, other personally identifiable information such as billing data, call detail records and credentials were stolen.
  • The tools and TTPs involved in this operation are commonly associated with the Chinese threat actor APT10. However, since some of these tools were disclosed, dumped, and even open sourced in some cases, they are available to the general public.
  • Critical infrastructure relies on cellular communication. Attackers can do whatever they want passively, or they can choose to shut down entire networks. Foreign powers can use this to interfere with critical infrastructure in another country.

“Essentially, the hackers have access to geolocation information on individuals, knowing their exact movements by day and night. If the individuals travel overseas, the hackers know it. The hackers can use this information to identify a convenient time in operations and campaigns they are carrying out,” said Amit Serper, Cybereason, Senior Director, Head of Security Research.

Read the research for Operation Soft Cell here

About Cybereason

Defending against today’s threats requires security teams to prevent and cut the noise from known attacks, while simultaneously detecting and remediating advanced attacks. The Cybereason solution combines endpoint prevention, detection, and response all in one lightweight agent. The solution delivers multi-layered endpoint prevention by leveraging signature and signatureless techniques to prevent known and unknown threats in conjunction with behavioral and deception techniques to prevent ransomware and fileless attacks. Combine the best platform on the market with active monitoring and response from our expert security team to receive a comprehensive defense. Visit our website to get a demo of our security solution.

Media Contact:
Bill Keeler
Senior Director, Global Public Relations

(929) 259-3261