View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

10 Major Global Telcos “Completely Penetrated” by Chinese APT

Production servers, database servers, and domain controller all fully compromised

By CBR Staff Writer

Chinese hackers have breached and occupied the networks of 10 major telecommunications companies operating around the world, using their sustained access to target “very specific individuals”, according to Boston-based Cybereason – which caught the attacker in flagrante delicto in the network of a new telco customer.

The attackers were in networks for at least two years. They had extracted over 100GB of data from the primary telco assessed, and were using their access to so-called Call Detail Records (CDRs) to track the movements and interactions of high-profile individuals that Cybereason – founded by veterans of Israel’s 8200 cyber unit – is declining to name.

With the first company identified as affected being a new Cybereason customer, the endpoint detection and response specialist is unable, again, to name it, or even the country it is based in. But tracking the threat, its threat researchers say the breach appears to span 10 telco companies with operations in Asia, Africa, Europe, and the US.

telcos hacked

Telcos Hacked: Call Detail Records (CDRs) Stolen 

Speaking to Computer Business Review, Cybereason’s Mor Levi, VP Security Practices, said: “We started this entire thing by onboarding one customer. We got a few alerts and started to look a little deeper, from the inside and then from the outside.”

She added: “This is a big, big breach. It is an intelligence actor after very specific individuals; important individuals…  If they had checked if their phone was hacked, they would have been told ‘no’; for them it is ‘hacking without hacking'”.

Chinese Hackers: The Modus Operandi

The telco hacking was all too real: the attackers had completely compromised the networks, exploiting  lateral movement to access even segments isolated from the internet. (In a previous conversation, a Cybereason researcher involved in the initial find described the “jaw-drop” moment when they released the scale of the APT’s access.)

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The initial indicator of the attack was malicious webshell activity performed by w3wp.exe, an IIS (Internet Information Services) process, Cybereason notes.

Investigation of the webshell, later classified as the “China Chopper” webshell, uncovered several attack phases, detailed below.

(Cybereason assesses with “very high probability” that the hackers are nation state-backed and China-affiliated, saying:  “The threat actor is likely APT10, or a threat actor that shares, or wishes to emulate its methods by using the same tools and techniques.”)

The Chinese hackers used this initial webshell to run reconnaissance commands and steal credentials, using a range of tools. One of the reconnaissance commands was to run a modified ​nbtscan tool (“NetBIOS nameserver scanner”) to identify available NetBIOS name servers locally or over the network. (Nbtscan has been used by ​APT10 in Operation Cloud Hopper to search for services of interest across the IT estate and footprint endpoints of interest. It is also capable of identifying system information.)

In a detailed report published today, Cybereason’s Mor Levi, Assaf Dahan, and Amit Serper said: “Following the reconnaissance phase, the threat actor attempted to dump credentials stored on the compromised machines. The most common credential stealing tool used by the threat actor was a modified ​mimikatz that dumps NTLM hashes. This version of mimikatz did not require any command line arguments, most likely in an attempt to avoid detection based on command-line auditing.”

“We renamed this sample to ​maybemimi.exe​.”

Read this: Mimikatz: “The AK47 of Cyber Attacks”

Another tool used included the RAT Poison Ivy. This used a ​DLL side-loading​ technique to stealthily load itself into  memory, using a trusted and signed Samsung tool (​RunHelp.exe​); a technique previously identified by Palo Alto in 2016.

Reconnaissance and lateral movement commands launched from the secondary web shell.

They added: “Once the threat actor mapped the network and obtained credentials, they began to move laterally. They were able to compromise critical assets including production servers and database servers, and they even managed to gain full control of the Domain Controller. The threat actor relied on ​WMI and ​PsExec to move laterally and install their tools across multiple  assets.”

The APT used a modified version of ​hTran​ – a tool that intercepts and redirects TCP connections from a local to a remote host – to exfiltrate stolen data. (Note that both China Chopper and hTran are among the NCSC’s list of the Top Five most commonly used hacking tools; a list that includes tips for detecting their use.)

Tools Were Heavily Customised; Each Payload Had a Unique Hash

“One of the more notable aspects was how the threat actor used mostly known tools that were customized for this specific attack”, Cybereason’s Mor Levi, Assaf Dahan, and Amit Serper wrote in their report on the breach. “Each tool was customized differently, and included re-writing the code, stripping debug symbols, string obfuscation, and embedding the victim’s specific information within the tools’ configuration.”

“However, the threat actor also used tools we were not able to attribute to any known tool. These tools were used in the later stages of the attack, once the operation was already discovered.  This was most likely to decrease the risk of exposure or attribution. Finally, the payloads were almost never repeated. The threat actor made sure that each payload had a unique hash, and some payloads were packed using different types of packers, both known and custom.”

The company added: “Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider. Telecommunications has become critical infrastructure for the majority of world powers. A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want… and also actively work to sabotage the network.”

Pressed on who they are working with to address the breaches, Cybereason’s Mor Levi told Computer Business Review: “We’re working with whoever will work with us; private or public and whoever the company affected will let us work with. We’ve had to have some quite strange conversations when approaching other telcos…”

Read this: Chinese Attackers Dropped Rootkit in 50,000 Servers: Then Left Theirs Wide Open



Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.