Unmasking Operation Soft Cell: The Persistent Chinese Cyber Espionage Campaign Targeting Middle East Telecoms

In the first quarter of 2023, telecom providers in the Middle East became the targets of a new cyber attack campaign conducted by a Chinese espionage actor. Attribution was made based on similarities in tooling overlaps to a known campaign dubbed “Operation Soft Cell.” This campaign has been ongoing for over a decade, with various espionage campaigns conducted against telecom providers globally.

Attribution of cyber attacks to a Chinese espionage actor

The intrusion set used in the Middle East was attributed to a Chinese espionage actor associated with Operation Soft Cell. The specific group is also known as Gallium and has traditionally targeted unpatched, internet-facing services. The latest campaign followed the same modus operandi with the goal of obtaining footholds within targeted telecom networks.

Methodology used by the threat actor during the attack

Once a foothold had been established, the attackers conducted various activities such as reconnaissance, credential theft, lateral movement, and data exfiltration. The attack was carried out with careful consideration to ensure maximum stealth and long-term access.

History of Operation Soft Cell targeting telecommunications providers

Operation Soft Cell has been running since at least 2012, primarily targeting telecom providers in Asia, Europe, Africa, and the Middle East. The main objective of the campaign is to access customers’ call records, messages, and other sensitive communication data. The group is known for stealing data and remaining undetected within systems for spans of up to five years.

Use of tools by the threat actor such as Mimikatz and PingPull

The Soft Cell threat actor utilized various tools, such as Mimikatz and PingPull, in its espionage campaigns. Mimikatz is a well-known credential theft tool used to obtain access to sensitive network resources. PingPull is a backdoor employed in a variety of campaigns with stealth capabilities that are difficult to detect. The use of these tools points to the advanced capabilities of the threat actor.

Focus on custom toolsets to maintain stealth

The central aspect of the recent campaign was the deployment of a custom variant of Mimikatz called mim221. This variant packed additional anti-detection features. The group also employed special-purpose modules that implemented advanced techniques, indicating their dedication towards weaponizing infrastructure to the fullest extent to avoid detection.

Detection and prevention of the attacks:

The recent cyber attacks in the Middle East were eventually thwarted, and no implants were deployed on the target networks. With increased awareness, threat intelligence, and early detection, defenders are better equipped to stop cyber attacks. Telecom providers should take a layered approach to security, including:

1. Keeping all software up-to-date,
2. Blocking unnecessary ports on firewalls,
3. Utilizing two-factor authentication,
4. Monitoring for unusual network activity,
5. Deploying enterprise antivirus and network security solutions.

Likelihood of continued upgrades to evade detection

The Soft Cell campaign has been ongoing for close to a decade, however, the group does not appear to be slowing down anytime soon. The group could explore upgrading its tools with new techniques for evading detection, which will make the work of the defenders even more challenging.

With the current cyberattacks on telecom providers, the importance of cybersecurity has been highlighted. The recent attack in the Middle East by a Chinese espionage actor is another pointer to the need for a layered approach to security. The fact that the recent attacks were foiled shows that when organizations have proper security protocols in place, even sophisticated cyber threats can be detected before irreparable damage occurs. Lessons should be learned from this attack, and stakeholders should be vigilant against future threats.

Explore more

Apple iPhone 18 Leak Reveals RAM Upgrades for Advanced AI

Dominic Jainy brings a wealth of knowledge to the table regarding the hardware-software symbiosis required for modern artificial intelligence. As an IT professional deeply embedded in the evolution of silicon architecture and machine learning, he offers a unique perspective on why seemingly incremental hardware shifts often dictate the entire user experience. This discussion explores the technical nuances of Apple’s transition

Why Are Investors Choosing Pepeto Over Stagnant Ethereum?

The global cryptocurrency landscape is currently undergoing a fundamental reorganization as capital increasingly migrates from established legacy protocols toward nimble, utility-driven newcomers that offer significant growth potential. For years, Ethereum remained the undisputed leader in smart contract functionality, yet its recent price stagnation has left many market participants searching for more dynamic opportunities. This transition is not merely a product

AI Becomes the Core Infrastructure of Global Banking

The global financial sector has officially moved past the phase of speculative experimentation, cementing artificial intelligence as the definitive architectural foundation upon which all modern banking services now operate. This structural metamorphosis represents a pivot from peripheral innovation toward a state of full-scale operational maturity, where algorithms are no longer viewed as external additions but as the very core of

Will the Vivo X500 Series Set New Flagship Standards?

The swift evolution of mobile technology often leaves consumers wondering if the next major release will truly redefine the experience or simply polish existing features. Currently, the industry looks toward the X500 series as a potential catalyst for change. The pace of innovation has accelerated to a point where a yearly cycle no longer satisfies the hunger for cutting-edge hardware

AI and Supply Chain Risks Reshape the Cyber Threat Landscape

The speed at which a software vulnerability transforms from a quiet discovery into a weaponized global threat has reached a breaking point, redefining the very concept of digital defense. This phenomenon, frequently described as the compression of time, characterizes a modern landscape where the gap between the identification of a flaw and its active exploitation by malicious actors has essentially