Production servers, database servers, and domain controller all fully compromised
Chinese hackers have breached and occupied the networks of 10 major telecommunications companies operating around the world, using their sustained access to target “very specific individuals”, according to Boston-based Cybereason – which caught the attacker in flagrante delicto in the network of a new telco customer.
The attackers were in networks for at least two years. They had extracted over 100GB of data from the primary telco assessed, and were using their access to so-called Call Detail Records (CDRs) to track the movements and interactions of high-profile individuals that Cybereason – founded by veterans of Israel’s 8200 cyber unit – is declining to name.
With the first company identified as affected being a new Cybereason customer, the endpoint detection and response specialist is unable, again, to name it, or even the country it is based in. But tracking the threat, its threat researchers say the breach appears to span 10 telco companies with operations in Asia, Africa, Europe, and the US.
Telcos Hacked: Call Detail Records (CDRs) Stolen
Speaking to Computer Business Review, Cybereason’s Mor Levi, VP Security Practices, said: “We started this entire thing by onboarding one customer. We got a few alerts and started to look a little deeper, from the inside and then from the outside.”
She added: “This is a big, big breach. It is an intelligence actor after very specific individuals; important individuals… If they had checked if their phone was hacked, they would have been told ‘no’; for them it is ‘hacking without hacking'”.
Chinese Hackers: The Modus Operandi
The telco hacking was all too real: the attackers had completely compromised the networks, exploiting lateral movement to access even segments isolated from the internet. (In a previous conversation, a Cybereason researcher involved in the initial find described the “jaw-drop” moment when they released the scale of the APT’s access.)
The initial indicator of the attack was malicious webshell activity performed by w3wp.exe, an IIS (Internet Information Services) process, Cybereason notes.
(Cybereason assesses with “very high probability” that the hackers are nation state-backed and China-affiliated, saying: “The threat actor is likely APT10, or a threat actor that shares, or wishes to emulate its methods by using the same tools and techniques.”)
The Chinese hackers used this initial webshell to run reconnaissance commands and steal credentials, using a range of tools. One of the reconnaissance commands was to run a modified nbtscan tool (“NetBIOS nameserver scanner”) to identify available NetBIOS name servers locally or over the network. (Nbtscan has been used by APT10 in Operation Cloud Hopper to search for services of interest across the IT estate and footprint endpoints of interest. It is also capable of identifying system information.)
In a detailed report published today, Cybereason’s Mor Levi, Assaf Dahan, and Amit Serper said: “Following the reconnaissance phase, the threat actor attempted to dump credentials stored on the compromised machines. The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes. This version of mimikatz did not require any command line arguments, most likely in an attempt to avoid detection based on command-line auditing.”
“We renamed this sample to maybemimi.exe.”
Another tool used included the RAT Poison Ivy. This used a DLL side-loading technique to stealthily load itself into memory, using a trusted and signed Samsung tool (RunHelp.exe); a technique previously identified by Palo Alto in 2016.
They added: “Once the threat actor mapped the network and obtained credentials, they began to move laterally. They were able to compromise critical assets including production servers and database servers, and they even managed to gain full control of the Domain Controller. The threat actor relied on WMI and PsExec to move laterally and install their tools across multiple assets.”
The APT used a modified version of hTran – a tool that intercepts and redirects TCP connections from a local to a remote host – to exfiltrate stolen data. (Note that both China Chopper and hTran are among the NCSC’s list of the Top Five most commonly used hacking tools; a list that includes tips for detecting their use.)
Tools Were Heavily Customised; Each Payload Had a Unique Hash
“One of the more notable aspects was how the threat actor used mostly known tools that were customized for this specific attack”, Cybereason’s Mor Levi, Assaf Dahan, and Amit Serper wrote in their report on the breach. “Each tool was customized differently, and included re-writing the code, stripping debug symbols, string obfuscation, and embedding the victim’s specific information within the tools’ configuration.”
“However, the threat actor also used tools we were not able to attribute to any known tool. These tools were used in the later stages of the attack, once the operation was already discovered. This was most likely to decrease the risk of exposure or attribution. Finally, the payloads were almost never repeated. The threat actor made sure that each payload had a unique hash, and some payloads were packed using different types of packers, both known and custom.”
The company added: “Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider. Telecommunications has become critical infrastructure for the majority of world powers. A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want… and also actively work to sabotage the network.”
Pressed on who they are working with to address the breaches, Cybereason’s Mor Levi told Computer Business Review: “We’re working with whoever will work with us; private or public and whoever the company affected will let us work with. We’ve had to have some quite strange conversations when approaching other telcos…”