Während in internationalen Medien eine rege bis hitzige Diskussion zu möglichen Hintertüren bzw. Sicherheitslücken bei Produkten des chinesischen Netzwerkausstatters Huawei stattfindet, wurden über mehrere Jahre unbemerkt internationale Telekommunikationsanbieter von staatlich-sanktionierten Hackern angegriffen. Ziel der Hacker war es alle nur verfügbaren Daten – von Geo-Location, Kurznachrichten bis hin zu Gesprächsprotokollen – über politische Dissidenten im Ausland zu bekommen.
So schreibt das amerikanische Wall Street Journal am 24.06.2019 zu „Operation Soft Cell“:
„The multiyear campaign, which is continuing, targeted 20 military officials, dissidents, spies and law enforcement—all believed to be tied to China—and spanned Asia, Europe, Africa and the Middle East, says Cybereason Inc., a Boston-based cybersecurity firm that first identified the attacks. The tracked activity in the report occurred in 2018. […] The hacking campaign—which Cybereason calls “Operation Soft Cell”—represents one of the most far-reaching recent offenses against a telecom industry under pressure, Mr. Div said. Around three of every 10 global carriers have had sensitive information stolen from hacking attacks, according to a 2018 report by EfficientIP, a Philadelphia-based cybersecurity firm.“
Wir möchten daher im Besonderen auf den Bericht der Firma „Cybereason“ und ebenso auf die technischen Indikatoren der Kampagne „Operation Soft Cell“ hinweisen.
In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network. Earlier this year, Cybereason identified an advanced, persistent attack targeting telecommunications providers that has been underway for years, soon after deploying into the environment. # Cybereason spotted the attack and later supported the telecommunications provider through four more waves of the advanced persistent attack over the course of 6 months. # Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers. # The attack was aiming to obtain CDR records of a large telecommunications provider. # The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more. # The tools and TTPs used are commonly associated with Chinese threat actors # During the persistent attack, the attackers worked in waves- abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques.