Chinese Hacking Team APT10, Still Actively Operating
In a previous article here in Hackercombat.com, we have featured the story of Iran’s APT (Advanced Persistent Threat) team, which is not at all surprising given the country’s continued diplomatic and geopolitical feud with the United States. Today we feature China’s own APT team, known only under the pseudonym APT10. Cybereason, an enterprise antimalware vendor revealed that APT10 has shown its presence regularly, in fact, it was the hacker team behind the Oct 2018 hacking of NASA.
Cybereason denied possibilities that some other parties just pretend to be the Chinese APT10 team, in order to stir-up the already escalating tensions between the United States and China. The company believes that APT10’s activities that they have detected are legitimate, as the servers and IP points to the direction that these originated from Hong Kong, mainland China, and Taiwan.
Two other cybersecurity companies, CrowdStrike, and FireEye cannot verify the claims of Cybereason, stating that due to technical and political power plays between players (United States, China and possibly also with Iran, Russia, etc.) Cybereason named APT10’s campaign as “Operation Soft Cell”, which is focused on cyber espionage activities against cellular network providers in the United States and its allies. One case even claimed that metadata harvesting occurs regularly under the auspices of APT10 against its perceived targets.
“I wouldn’t be surprised to learn that a Chinese actor has targeted 10 telecom providers. They’re moving toward the backbone, hitting providers with access to a lot of data instead of going after targets in onesies and twosies. They gain a higher level of access and limit their exposure,” emphasized John Hultquist of FireEye, confirming the APT10 incident.
Though metadata does not contain actual user data (it is casually called data about the data), it is enough to extract information that will recover records of great interest for hackers and scammers alike: device name, SIM IMEI, call time records, and mobile networks the user connected to.
“That metadata is sometimes more important than the contents of what you’re saying. It allows an intelligence service to build a whole picture of you: who you’re talking to, who are your peers and coworkers, when do you wake up and go to bed, where you work, what your route to work looks like. These are valuable pieces of information,” explained Amit Serper, Cybereason’s Security Researcher.
Cybereason refused to name the most at risk companies, however, the company stressed that all cellular network vendors and last mile network providers are affected across continents of Africa, Asia, Europe, and the Middle East. The company has downplayed the risks for companies operating in North America, as it believes all situations point to the direction that the weakest system is more at the attack schedule. Most of which are located in Asia, Africa and other countries with a weak security defense mechanism.
“We know how intelligence services operate, and it’s not something we haven’t seen before. But we haven’t seen this scale,” added Serper.
Metadata detection and espionage is not a new attack strategy. In 2013, Edward Snowden, a former NSA contractor accused the United States government of extracting metadata and spying on its own citizens.