Israeli cybersecurity company Cybereason recently briefed key staff members of many US House and US Senate Committees on Operation Soft Cell, an investigation into a massive espionage campaign targeting nearly a dozen global telecommunications providers.
Cybereason’s CTO and Co-founder Yonatan Striem-Amit and Amit Serper, Senior Director and Head of Security Research, represented Cybereason in the briefings. Serper was one of the investigators in the nearly one-year-long investigation. The two executives met with the House Homeland Security Committee, Senate Homeland Security and Governmental Affairs Committee, Senate Select Committee on Intelligence, Senate Commerce, Science, and Transportation Committee, House Energy and Commerce Committee, and the House Permanent Select Committee on Intelligence.
“The committees we met with raised questions about the likelihood of similar attacks being carried out closer to home in North America. We reiterated that we have found no evidence of this occurring to date. Operation Soft Cell is an ongoing investigation and we are finding interesting things every day. We know the hackers have specific motives and are running a highly targeted, persistent operation to own the networks and track a very targeted list of high-profile individuals on different continents,” said Striem-Amit.
Key Points from Operation Soft Cell:
- Cybereason identified an advanced, persistent attack targeting telecommunications providers that has been underway for years, soon after deploying into the environment.
- Cybereason spotted the attack and later supported the telecommunications provider through four more waves of the advanced persistent attack over the course of six months.
- Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers.
- The attack was aiming to obtain CDR records of a large telecommunications provider.
- The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.
- The tools and TTPs used are commonly associated with Chinese threat actors.
- During the persistent attack, the attackers worked in waves, abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques.