Intelligence Brief Nation-State Hackers Breach Middle East Telecom Providers in Cyber Espionage Attack.

Date: 24th March 2023?

Location: China, Middle East, Southeast Asia, Europe, Africa???

Parties involved: China, Middle East, Southeast Asia, Europe, Africa Telecom Providers, Sentinel Labs, Gallium, Mimikatz, APT10, APT27, APT41???

What happened: Middle East telecom providers have been targeted during the start of 2023, the attack has been attributed to a long-term Chinese campaign termed ‘Operation Soft Cell'. Researchers from SentinelOne and QGroup identified that the initial attack phase involved infiltrating an internet-facing Microsoft Exchange and then deploying web shells to implement command executions. Once confirmed successful, the attack then moves into its next phase, where the threat actor undertakes a mixture of reconnaissance, credential theft, lateral movement, and data exfiltration. Operation Soft Cell is unusual in that it has been active and undertaking attacks on telecom providers since 2012, much longer than a typical targeted attack which would have a limited useful lifespan. Microsoft has also been tracking Operation Soft Cell, the threat actors themselves, issuing the tag Gallium to the project. Microsoft identified that they used tools such as Mimikatz, which allowed the threat actor to obtain credentials and then use these to laterally move across the target network. Mimikatz has since been superseded by ‘mim221’, which contains new anti-detection features making detecting and tracing the threat actor more difficult. Companies in Southeast Asia, Europe, Africa, and the Middle East were also targeted using a backdoor that was known as ‘Pingpull’. ‘Pingpull’ was extremely difficult to detect and was used to undertake acts of espionage. However, despite the nature of the attacks, they failed to breach the system with attacks being detected and blocked before they could be deployed onto the target networks. Research undertaken by Markus Neis of Swisscom indicates that the threat actors are actually multiple Chinese nation-state actors such as APT10 (aka Bronze Riverside, Potassium, or Stone Panda), APT27 (aka Bronze Union, Emissary Panda, or Lucky Mouse), and APT41 (aka Barium, Bronze Atlas, or Wicked Panda).

Analysis:?

• It is almost certain that these attacks are being carried out by nation-state actors from China due to the signs of tool sharing from other attacks. Due to the sharing of tools it is very likely that the group will continue to upgrade the Tools, Tactics and procedures (TTP’s) to avoid detection in the future. The group will very likely continue these attacks due to the time and money they have already invested in this campaign.????
• It is very likely that the threat actors will continue to learn, develop and upgrade their attack methods.? It is very likely that they have taken their failures on previous attacks and modify both code and methodology to undertake an attack that will very likely ultimately be successful. It is very likely that future upgrades will be implemented to evade detection and also to integrate and modify publicly available code.

Recommendations:

• It is recommended that corporate and personal networks are kept up to date with the latest patches and have adequate firewalls and antivirus software scans that are run frequently.?
• It is recommended that personnel who have access to firewalls and protection systems are on high alert and respond promptly in informing team members and law enforcement of any possible attack.?
• It is recommended that system administrators implement secondary certificate validation rather than relying on standard certificate validation methods.
• It is recommended that system administrators ensure that their virus protection measures are able to recognise and quarantine malware and attacks efficiently.?
• It is recommended that system administrators stay current with SHA1 hashes which can indicate compromise.
• It is recommended that any businesses that operate both inside and outside of the targeted countries are vigilant of their telecom providers and ensure that there is a diverse system backup or a provider from outside the targeted areas.???
• It is recommended that, in addition to those who are direct telecom providers, suppliers of critical components, backbones and infrastructure also maintain a heightened alertness and implement additional monitoring of network traffic.

This article was written by Richard Flood & Julian Strong.

Sources:

• “Phone Hacking” by Geralt licensed under Pixabay License?
• Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers, The Hacker News, March 2023, https://thehackernews.com/2023/03/operation-soft-cell-chinese-hackers.html

Operation Tainted Love Chinese APTs Target Telcos in New Attacks, Sentinel Labs, March 2023, https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/?