Speaking at the Virus Bulletin 2019 conference in London, Cybereason researchers Amit Serper, Mor Levi and Assaf Dahan discussed the “worldwide campaign against telecommunication providers” that they coined Operation Soft Cell.
Described by Serper as an access operation which was a “multi-wave attack,” he said that the operation targeted call detail records (CDRs) which contain details of call information, where calls are made and the originating number and IMEI number.
“With this you can build a complete picture of a person and where they are located through the day,” he said. “You get a lot of information without getting on the phone as metadata is siphoned off.”
Levy said an investigation usually started with small pieces being tied together, and the researchers were able to learn more about the attacker. Levy said that the investigation started in 2018, and nothing was unusual at first, but second, third and fourth waves of attack were spotted, which led them to conclude that this was the same actor “as behavior and techniques were almost the same, and they were adaptive and changing indicators to bypass detection.” It was later revealed by the researchers that the compromise had sometimes gone on for up to seven years.
During the third phase, the researchers realized the attacker was not after bill data or domain administrator details.
Dahan said that the attacker was able to get in, do external reconnaissance, and use third party tools for exfiltration and to move laterally and obtain credentials.
“We understood that the attack was on exfiltration, as they compressed and password protected it,” Dahan said. Serper pointed out that remote access Trojans like Poison Ivy were used.
Levy added that it was “hard to connect the dots but we knew the bigger picture,” and the purpose of the threat intelligence research was to get the big picture. The companies were informed, and it initially expanded from Cybereason’s customer to dozens of other telcos.
The research also revealed that a lot of the attacks took place in GMT+8, the Chinese time zone, where a two-hour lunch break was also taken. Serper concluded by saying that upon telling those affected, he got very negative responses as “cyber insurance doesn’t cover nation state attacks as it is an act of war.”