Chinese government-sponsored hackers allegedly hit global telcos

The Advanced Persistent Threat 10 (APT10) or Stone Panda hacking gang which has been linked to Chinese government, is behind a worldwide espionage campaign spanning years, security researchers say.

Security vendor Cybereason has released a report that sets out in detail how APT10 attacked telcos as part of Operation Soft Cell, in multiple waves that resulted in the complete takeover of networks around the world.

Cybereason spotted the attack this year, and identified the tools and methods used by the hackers as the same that APT10 has been using in the past.

Data gathered by Cybereason, including the use of a remotely accessible command shell that was classified as a modified version of the China Chopper tool discovered in 2012, suggests Operation Soft Cell has been active for many years.

Seeking out vulnerable Microsoft Internet Information Services (IIS) servers, the attackers would try to compromise these and run the modififed China Chopper shell to reconnoitre target networks to locate assets on these that they were interested in.

Using tools like a modified version of the NetBIOS nameserver scanner, the attackers mapped  out telcos' internal networks and then ran a customised Mimikatz to dump and obtain Windows NTLM and Security Account Manager (SAM) password hashes.

With user credentials in hand, the APT10 hackers were able to move laterally along internal network paths and compromise Domain Controllers and establish a long-term foothold on telco systems.

As well as the above method, the attackers would deploy the PoisonIvy remote access tool (RAT) to stealthily remain in contact with compromised systems.

A modified variant of the hTran connection bouncer tool was used to exfiltrate the stolen data in compressed format, Cybereason said.

Espionage and surveillance of individuals appear to have been the motive for APT10.

The attackers tried to obtain call detail records from a large telco, Cybereason said. These contain a great deal of information such as the source, destination, and duration of calls.

CDRs also contain metadata for the devices used, and their physical location.

Through CDRs, APT10 would be able to work out who the individuals under surveillance are talking to and the devices they use, and also where they are travelling.

APT10 also tried to exfiltrate all data stored in an Active Directory server. This included all user names and passwords for the telco.

Sensitive personally identifiable information, billing data, emails and user geo-location details were also taken by the hackers. Details on hundreds of millions of users may have been compromised by the multi-year Operation Soft Cell.

At least ten global telcos are believed to have been attacked by APT10, although Cybereason did not name them or say where they are located.

APT10 is believed to be behind a string of attacks on a large number of managed service providers worldwide, as well as universities, defence contractors and research organisations.

The US Federal Bureau of Investigation indicted two Chinese nationals, Zhu Hua (a.k.a. "Godkiller", "Alayos", "Afwar" and "CVNX") and Zhang Shilong (a.k.a. "Baobeilong", "Zhang Jianguo", and "Atreexp"), alleging they are members of the APT10 hacking group and active seince 2006.

Zhu and Zhang worked for Huaying Haitai Science and Technology Development Company in Tianjin, and acted in association with China's Ministry of State Security Bureau there, FBI said.