Attackers targeting major telecom providers to obtain data related to high-profile individuals

• A research report suggests that the cyberattacks on these organizations have been underway for many years.
• It is also speculated that the tools and techniques used by the attacker were linked to Chinese threat actor APT10.

A new research report has shed light on a string of cyberattacks carried out on numerous telecommunication companies across the world. The report, published by security firm Cybereason, provides details on how the threat actors used various tools and techniques in their stealth attacks against networks of these organizations since 2017. The attacks are said to have compromised networks of companies in over 30 countries and were aimed at obtaining information related to high-profile individuals.

It was also revealed that the attacks were likely linked to the infamous threat actor APT10 aka MenuPass group. On the other hand, the names of the companies affected in these attacks were not disclosed.

Worth noting

• According to the report, threat actors attempted to obtain CDR data such as call logs, cell tower locations, etc., of specific individuals. On top of this, they tried to compromise the critical assets of the telecom company.
• The attacks started with an instance where a web shell was executed on a vulnerable server of a telecom company. This was done to gain information about the company’s network and its assets.
• Cybereason researchers mention that the threat actors worked in ‘waves’. This means attackers departed from an ongoing attack after detection or mitigation and came back with different tools and techniques in their next attack.
• The threat actors on various tools in the attacks. This includes Nbtscan, Mimikatz, PoisonIVY RAT, hTran, custom-built web shells among others.

Likely involvement of APT10

Cybereason researchers believe that the threat actors might be the Chinese-based APT10 behind these attacks. “Having found multiple similarities to previous attacks, it is our estimation that the threat actor behind these attacks is likely linked to APT10, or at the very least, to a threat actor that shares tools, techniques, motive and infrastructural preferences with those of APT10,” the researchers wrote in the report.