Phone Records and Location Data Targeted
According to Cybereason, a US-based Security firm, the hackers stole phone records and location data from at least five major telecom companies. The report names Soft Cell, Naikon, and Group 3390 as some of the groups behind the attack. Lior Div, the CEO of Cybereason, said that the hackers managed to gain total control of the networks they penetrated. The hackers exploited security vulnerabilities in Microsoft Corporations’ Exchange servers to gain access to the telecom companies’ internal systems. Some of the targeted telecom service providers belong to Southeast Asian countries with long-standing disputes with China. One of the hacking groups has previously targeted ministries and government-owned companies in Indonesia, Vietnam, and the Philippines. However, Cybereason declined to identify the targeted countries or companies.
Primary Motive – Espionage
The report states that hackers compromised the telecom companies to facilitate espionage on select targets. It describes the hackers as “highly sophisticated and adaptive,” and that they continue to evade security measures. The attacks are similar to the recent SolarWinds and Kaseya hacks, where third-party service providers were compromised. However, instead of delivering malware through a supply chain attack, the attackers used compromised service providers to spy on their targets. The hackers’ intent was likely to “obtain information about corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government.” Cybereason highlighted three ways in which the actors carried out their attack:
One of the groups hides its malware in a target’s recycle bin folder. Another disguises itself within anti-virus software. It also infects computers with a keylogger through a multimedia player known as “PotPlayer.” Some groups, such as Soft Cell, accessed telecom networks through security weaknesses in Microsoft’s Exchange servers.
While the current attack was carried out for the purposes of espionage, it has the potential for much greater harm. According to Div, these operations have “the potential to threaten the national security of countries in the region, and those who have a vested interest in the region.”
Growing Tensions With Chinese Cyber Attacks
This episode comes after the US, the U.K. and other allies called out the Chinese Government for their role in the Microsoft Exchange Hack. At the time, the U.S. issued a public statement condemning the Chinese government’s behavior in cyberspace. The U.K. government and the European Union both supported this statement. They also came out with statements confirming China’s role. In a press briefing, the Chinese Foreign Ministry denied the allegations, calling it “purely a smear and suppression campaign borne out of political motives.”