Hackers Steal Tons of Phone Records From 10 Carriers Worldwide

At least ten different telecommunications companies worldwide were hacked into as part of a longstanding state-sponsored spying operation, says Boston-based information-security firm Cybereason.

Credit: REDPIXEL.PL/Shutterstock

(Image credit: REDPIXEL.PL/Shutterstock)

The hackers targeted the call and text-message records of 20 to 30 high-profile individuals, giving the spies insight into the targets' movements, contacts and activities. The spying operation bears the hallmarks of a well-known Chinese hacking crew, although that circumstantial evidence could be a false flag to throw off investigators.

Cybereason's report did not disclose the names of the hacked telecoms, but said that none were in North America. Nor did it name the targeted individuals, whose identities would indicate whichever country was most interested in their activities. Likely targets would be political dissidents, national leaders, military officials or corporate executives.

The average citizen is in little danger from this espionage campaign, which Cybereason has named "Operation Soft Cell," even though, in Cybereason's words, "hundreds of gigabytes" of call records were harvested over a period of years.

MORE: Best Android Antivirus Apps

Previous massive data thefts thought to be the work of Chinese spies, such as the Starwood Hotels data breach, the U.S. Office of Personnel Management intrusion and possibly even the Equifax hack of 2017, have not flooded cybercrime markets with stolen personal information, as they would if criminals were behind the attacks.

Presumably, Chinese spies are keeping the data to themselves so they can sift through it to identify Western spies, espionage assets and prominent individuals.

How the Soft Cell attack worked

In the case of Operation Soft Cell, hackers apparently got into the telecoms' systems by exploiting vulnerabilities in Microsoft-powered web servers. Once in the systems, they used other common tools to steal administrative passwords and move throughout the computer networks.

"They would exploit one machine that was publicly accessible through the internet, dump the credentials from that machine, use the credentials stolen from the first machine and repeat the whole process several times," Amit Serper, head of security research at Cybereason, told TechCrunch.

At one point, the hackers got tired of using a chain of compromised machines to access the targeted networks, so they simply set up a private VPN client deep inside a company network for quicker access. Cybereason said the hackers' main activities started in 2017, although some activity dated back as far as 2012.

The hackers used tactics and software tools characteristic of the Chinese crew variously known as APT 10, MenuPass, Red Apollo, Hogfish and Stone Panda. The group has previously targeted aerospace, defense, educational, government and healthcare systems.

Cybereason chief executive Lior Div told The Wall Street Journal that the hackers used servers and domains in China, Hong Kong and Taiwan.

Who you gonna call?

Call-record metadata is valuable because it details when calls and text messages are made and who is sending and receiving the calls and texts. (Edward Snowden's NSA leaks began with call records obtained under warrant from Verizon's business services.) It also often reveals the location of a cellphone and the make, model and operating system of the phone.

Call-record metadata does not capture the contents of phone calls or, in most cases, of text messages. But it does tell you with whom a targeted individual is in contact, where that individual is and has been, and what kind of devices that person is using.

Best Identity Protection Services

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.