The recent attack by China on Cellular companies – called Operation Soft Cell – is part of an espionage campaign that leverages privileged access in privileged accounts. Compromising credentials remains the weapon of choice for attackers and a top attack pattern.
We first encountered this pattern when Edward Snowden revealed Operation Socialist, a CIA and British Global Communication Headquarters (GCHQ) campaign that allegedly attempted to take control of one of the most widely spread telecommunications networks in the country – Belgian telecommunications company Belgacom. Access to Belgacom would allow intelligence agencies to obtain the metadata required to track specific target individuals. Aside from this new attack coming from a very different quarter, China’s APT 10 rather than the GCHQ, the attacks are very similar.
Operation Socialist, like the recent Soft Cell operation, leveraged privileged access and privileged accounts to take control of telecommunication systems and persist while remaining in the shadows. Neither of these attacks needed to exploit vulnerabilities or reveal sophisticated and aggressive tools, which cost a lot to develop. In both cases, the groups compromised the organization’s privileged accounts – namely domain admin accounts. Domain admin accounts have administrator rights over an entire domain, making them extremely useful to an attacker.
Domain admin accounts and other well-known privileged accounts are usually tightly-controlled and monitored. However, there were still vulnerabilities to exploit. The attackers probably went after shadow admins, which are privileged accounts that aren’t members of the privileged Active Directory group, letting them fly under the radar and often go overlooked by organizations’ security teams.
These type of accounts have special privileges that allow an attacker to gain control of a complete network control without being a member of a privileged group. Consequently, the attack leaves little trace, while still providing the attacker with flexibility. In the Soft Cell operation, the attackers launched a VPN service to allow them shadow access to the network – possibly based on shadow admin accounts.
Using shadow admins to gain access isn’t the only short cut that the attackers from Operation Soft Cell and Operation Socialist used. In both of these cases, the attacks on the telecom companies targeted the supply chain. Just like hardware manufacturing facilities, software companies that provide product updates or internet traffic backbone servers are vulnerable to supply chain attacks.
This has become common with many attackers redirecting their efforts from well-defended organizations to their less-secure supply chains. Attackers who want intimate and persistent access to a company’s data and IP can replace sending phishing emails to vast numbers of employees with bugging the company’s hardware. Attackers who want access to an individual’s metadata, location and calls for a longer period of time, can replace exposing a costly WhatsApp vulnerability with compromising a specific individual’s phone.