Unmasking Operation Soft Cell: The Persistent Chinese Cyber Espionage Campaign Targeting Middle East Telecoms

In the first quarter of 2023, telecom providers in the Middle East became the targets of a new cyber attack campaign conducted by a Chinese espionage actor. Attribution was made based on similarities in tooling overlaps to a known campaign dubbed “Operation Soft Cell.” This campaign has been ongoing for over a decade, with various espionage campaigns conducted against telecom providers globally.

Attribution of cyber attacks to a Chinese espionage actor

The intrusion set used in the Middle East was attributed to a Chinese espionage actor associated with Operation Soft Cell. The specific group is also known as Gallium and has traditionally targeted unpatched, internet-facing services. The latest campaign followed the same modus operandi with the goal of obtaining footholds within targeted telecom networks.

Methodology used by the threat actor during the attack

Once a foothold had been established, the attackers conducted various activities such as reconnaissance, credential theft, lateral movement, and data exfiltration. The attack was carried out with careful consideration to ensure maximum stealth and long-term access.

History of Operation Soft Cell targeting telecommunications providers

Operation Soft Cell has been running since at least 2012, primarily targeting telecom providers in Asia, Europe, Africa, and the Middle East. The main objective of the campaign is to access customers’ call records, messages, and other sensitive communication data. The group is known for stealing data and remaining undetected within systems for spans of up to five years.

Use of tools by the threat actor such as Mimikatz and PingPull

The Soft Cell threat actor utilized various tools, such as Mimikatz and PingPull, in its espionage campaigns. Mimikatz is a well-known credential theft tool used to obtain access to sensitive network resources. PingPull is a backdoor employed in a variety of campaigns with stealth capabilities that are difficult to detect. The use of these tools points to the advanced capabilities of the threat actor.

Focus on custom toolsets to maintain stealth

The central aspect of the recent campaign was the deployment of a custom variant of Mimikatz called mim221. This variant packed additional anti-detection features. The group also employed special-purpose modules that implemented advanced techniques, indicating their dedication towards weaponizing infrastructure to the fullest extent to avoid detection.

Detection and prevention of the attacks:

The recent cyber attacks in the Middle East were eventually thwarted, and no implants were deployed on the target networks. With increased awareness, threat intelligence, and early detection, defenders are better equipped to stop cyber attacks. Telecom providers should take a layered approach to security, including:

1. Keeping all software up-to-date,
2. Blocking unnecessary ports on firewalls,
3. Utilizing two-factor authentication,
4. Monitoring for unusual network activity,
5. Deploying enterprise antivirus and network security solutions.

Likelihood of continued upgrades to evade detection

The Soft Cell campaign has been ongoing for close to a decade, however, the group does not appear to be slowing down anytime soon. The group could explore upgrading its tools with new techniques for evading detection, which will make the work of the defenders even more challenging.

With the current cyberattacks on telecom providers, the importance of cybersecurity has been highlighted. The recent attack in the Middle East by a Chinese espionage actor is another pointer to the need for a layered approach to security. The fact that the recent attacks were foiled shows that when organizations have proper security protocols in place, even sophisticated cyber threats can be detected before irreparable damage occurs. Lessons should be learned from this attack, and stakeholders should be vigilant against future threats.

Explore more

UpCrypter Phishing Campaign Deploys Dangerous RATs Globally

Introduction Imagine opening an email that appears to be a routine voicemail notification, only to find that clicking on the attached file unleashes a devastating cyberattack on your organization, putting sensitive data and operations at risk. This scenario is becoming alarmingly common with the rise of a sophisticated phishing campaign utilizing a custom loader known as UpCrypter to deploy remote

Fintech Cybersecurity Threats – Review

Imagine a financial system so seamless that transactions happen in mere seconds, connecting millions of users to a digital economy with just a tap. Yet, beneath this convenience lies a looming danger: a single compromised credential can unleash chaos, draining millions from accounts before anyone notices. This scenario isn’t hypothetical—it played out in Brazil’s Pix instant payment system, a cornerstone

How Did a Cyberattack Shut Down Nevada’s State Offices?

What happens when a state’s digital foundation crumbles in mere hours, leaving critical operations paralyzed? On August 24, a devastating cyberattack struck Nevada, forcing a complete shutdown of all state office branches for two days, with systems like email, public records, and internal communications grinding to a halt. Critical systems—email, public records, and internal communications—ground to a halt, leaving officials

Why Should Leaders Invest in Employee Career Growth?

In today’s fast-paced business landscape, a staggering statistic reveals the stakes of neglecting employee development: turnover costs the median S&P 500 company $480 million annually due to talent loss, underscoring a critical challenge for leaders. This immense financial burden highlights the urgent need to retain skilled individuals and maintain a competitive edge through strategic initiatives. Employee career growth, often overlooked

Making Time for Questions to Boost Workplace Curiosity

Introduction to Fostering Inquiry at Work Imagine a bustling office where deadlines loom large, meetings are packed with agendas, and every minute counts—yet no one dares to ask a clarifying question for fear of derailing the schedule. This scenario is all too common in modern workplaces, where the pressure to perform often overshadows the need for curiosity. Fostering an environment