For anyone who’s worried that their phone might be hacked to track their location, who they call and when, and other metadata that describes the intimate details of their life, one cyberespionage group has provided a reminder that hackers don’t necessarily even need to reach out to your device to gain that access. It may be far easier and more efficient for sophisticated stalkers to penetrate a mobile provider, and use its data to surveil whichever customers they please.
On Monday night, researchers at Boston-based cybersecurity firm Cybereason revealed the results of tracking a years-long cyberespionage campaign they’ve called Operation Soft Cell, which they say targeted the networks of at least 10 cellular providers around the world. And while researchers’ visibility into that hacking campaign is incomplete, they say it appears to be a prolific but highly targeted espionage campaign likely based in China. In one of the 10 breaches that affected a Cybereason customer, the researchers say they found that the hackers had gained deep access to the victim’s network and stolen gigabytes of metadata related to 20 specific individuals’ phone usage and location.
Cybereason says that the company found no evidence that the hackers stole the actual content of communications from victims, but the firm’s principal security researcher Amit Serper argues that the metadata alone—device and SIM identifiers, call records, and which cell tower a phone connected to at any given time—can provide a frighteningly high-resolution picture of a target’s life. “That metadata is sometimes more important than the contents of what you’re saying,” says Serper, who previously worked in Israeli intelligence. “It allows an intelligence service to build a whole picture of you: who you’re talking to, who are your peers and coworkers, when do you wake up and go to bed, where you work, what your route to work looks like. These are valuable pieces of information.”
Cybereason wouldn’t name any of the companies or individuals victimized in the attack, though it notes that they included cellular providers in Asia, Africa, the Middle East, and Europe. North American was not impacted, to their knowledge. The firm’s researchers say they first detected an intrusion in a customer’s network a year ago, including evidence that the intruders had been present for at least another year— dating the campaign back to 2017.
When the researchers reconstructed the timeline of that attack, they found that the spies had exploited a vulnerable web service to gain an initial foothold on the victim company’s network, and then used a customized version of the common tool Mimikatz to pull usernames and passwords out of target machines’ memory, using those credentials and repeating the process to spread from one machine to another until they obtained domain administrator access, giving them full control of the company’s network. “At that point, they became the shadow IT department,” Serper says.
Eventually, the hackers even installed their own VPN system on the network so that they could enter at will over an encrypted connection. Cybereason says that the spies ultimately accessed a “call detail record” or CDR database, encrypting and stealing data related to 20 specific individuals they had chosen to track. And when Cybereason traced the command and control servers behind operation, they found evidence of other servers that appeared to be linked to active operations targeting at least nine other cellular provider targets, though Serper says he can’t name those targets or confirm if their networks were in fact compromised, or might have been stolen from them.
“Metadata allows an intelligence service to build a whole picture of you.”
Amit Serper, Cybereason
Cybereason believes the hackers behind the cellular provider incident are likely working in service of the Chinese government. In the process of their espionage campaign, the intruders used a set of tools that Cybereason and others associate with Chinese state spies including a web shell called China Chopper, the Poison Ivy remote-access trojan, and the scanning tool nbtscan. Despite the hackers’ broad targeting, they didn’t seem to target any victims in mainland China. And the apparent focus on infrastructure-targeted spying also fits with the tactics of Chinese hackers, who have compromised everything from cloud service providers to software supply chains for the purpose of stealthy espionage.
Stealing metadata, Serper says, is hardly an unprecedented trick for intelligence agencies. But he says that 10 cellular providers targeted in the same operation is more rare. “We know how intelligence services operate, and it’s not something we haven’t seen before,” Serper says. “But we haven’t seen this scale.”
Analysts at security firms Crowdstrike and FireEye say they couldn’t confirm Cybereason’s findings, but the two firms noted that they have in fact seen broad targeting of cellular providers including by Russian and Iranian state-sponsored hackers, both for tracking individuals and for bypassing two-factor authentication, intercepting the SMS messages sent to phones as a one-time passcode. “I wouldn’t be surprised to learn that a Chinese actor has targeted 10 telecom providers,” says John Hultquist, who leads threat intelligence at FireEye. “They’re moving toward the backbone, hitting providers with access to a lot of data instead of going after targets in onesies and twosies. They gain a higher level of access and limit their exposure.”
One spy agency, at least, seems to be backing away from metadata collection, domestically at least: The NSA quietly shuttered its US metadata collection program in March, after years of controversy following Edward Snowden’s revelation of the program’s existence in 2013. But as Operation Soft Cell shows, metadata remains a tempting target for foreign hackers—and one that might be all too easy for determined ones to get their hands on.