Cellular networks under fire from Soft Cell attacks

Cellular networks under fire from Soft Cell attacks

We place a lot of trust in our mobile experience, given they’re one of the most constant companions we have. Huge reams of data, tied to a device we always carry with us, with said device frequently offering additional built-in app functionality. An astonishing wealth of information, for anyone bold enough to try and take it.

Security firm Cybereason uncovered an astonishing attack dubbed “Operation soft cell” haunting at least ten cellular networks based around the globe. Over the course of seven years, they went after all manner of detailed information on just 20 to 30 targets, feeding it back to base and building up an amazingly detailed picture of their daily dealings.

What happened here?

The compromise, which the researchers have given a high probability of being a nation-state attack, went to elaborate lengths to nab their high value targets. Attackers first gained a foothold by targeting a web-connected server and making use of an exploit to gain access. A shell would then be placed to enable further unauthorised activity.

In this particular case, a modified version of the well-known China Chopper was deployed to carry out specific tasks. It’s quite flexible, able to run on multiple server platforms. It’s also quite old, dating back several years. I guess there’s no tunes quite like the classics.

Thanks to China Chopper and a variety of alternative compromise tools, the attackers would make use of credentials from the first machine to dig deeper in the network. Well-worn RATs like PoisonIvy were used to ensure continued access on compromised devices.

Eventually, they’d gain control of the Domain Controller and at that point,  it’s essentially game over for the targeted organisation.

Groundhog Day

It appears the criminals reused various techniques to work their way around the various cellular networks, with little resistance. Talk about “If it ain’t broke, don’t fix it.” So total was their ownership of certain organisations, they were able to set up VPN services to enable quick, persistent access on hijacked networks instead of taking the much slower route and connecting their way through multiple compromised servers.

If they were worried about being caught in the act, they certainly didn’t show it. In fact, from reading the main report it seems in cases where there was some pushback, they simply looped back around and tried again till they succeeded, attacking in waves staggered over a period of months.

The Crown Jewels

Most of the time, attacks on web-facing servers result in an email from Have I been pwned and you see which bits of personal information have been fired across the web this time. Not here, however—it was never going to end with a username/password dump.

The attackers plundered cellular networks, gained access to pretty much everything you could think of. In cases where the target was fully compromised, all username/passwords were grabbed, along with billing information and various smatterings of personal data.

However, the big prize here wasn’t being able to hurl all of this onto a Pastebin or upload it to social media as a free-for-all; nothing so bland. It was, instead, being able to sit on both this data quietly alongside hundreds of gigabytes of call detail records. This is, as you’ll see, a bad thing.

Call detail records: What are they?

Good question.

Call detail records are all about metadata. They won’t give you the contents of the call itself, but what they will give you is pretty much everything else. They’re useful for a variety of things: billing disputes, law enforcement inquiries, tracking people down, bill generation, call volumes/handling for businesses and much more. Not only do they avoid recordings of conversations, they also steer clear of specific location information.

Nonetheless, patterns of behaviour are easy to figure out. A typical CDR could include:

  • Caller
  • Recipient
  • Start/end time of call
  • Billing number
  • Voice/SMS/other
  • A specific number used to identify the record in question
  • How the call entered/exited the exchange

If you’re looking to target specific individuals, then this data over time is an incredible resource for an attacker to get hold of. Some may prefer the old spear phish/malware attachment type scenario, but by going after the target directly, it’s quite possible someone’s going to find out. Where targets are high value, they’ll almost certainly have additional security measures in place. For example, journalists who cover human rights abuses in dangerous parts of the world will often work with organisations who keep an eye out for potential attacks.

This method, aimed at slowly digging around behind the scenes and out of view from whoever happens to be using those networks, is much sneakier. Depending on how things pan out, it’s entirely possible they’d never even know they’d been compromised by proxy in the first place.

Hidden in plain sight

With methods such as this, the people behind the malware daisy chain have an amazing slice of access to the individual with no direct specific risk. Everything at that point comes down to how well the cellular network is locked down, how good their security is, how on the ball their incident response team happens to be, and so on.

If (say) they failed to spot numerous attacks, left vulnerable servers online, missed telltale signs that something is amiss, let well-known RATs like PoisonIvy dance across their network, allowed the hackers to set up a bunch of VPN nodes…well, you can see where I’m going with this.

Where I’m going is several years later and a large slice of “Oh dear.”


Well, first thing’s first: don’t panic. It’s worth noting there isn’t any additional verification (yet) outside the initial threat report. Something bad has clearly happened here, but as to how severe it is, we’ll leave that to others to debate.

Whether this was pulled off by a high-level nation state approved group of attackers or a random collection of bored people in an apartment, one way or another those cell networks really had a number done on them. The impact to the individuals caught by this is the same, and one assumes they’ve been informed and taken appropriate action. We can only hope the cellular networks impacted have now taken appropriate measures and shored up their defences.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.