Unmasking Operation Soft Cell: The Persistent Chinese Cyber Espionage Campaign Targeting Middle East Telecoms

In the first quarter of 2023, telecom providers in the Middle East became the targets of a new cyber attack campaign conducted by a Chinese espionage actor. Attribution was made based on similarities in tooling overlaps to a known campaign dubbed “Operation Soft Cell.” This campaign has been ongoing for over a decade, with various espionage campaigns conducted against telecom providers globally.

Attribution of cyber attacks to a Chinese espionage actor

The intrusion set used in the Middle East was attributed to a Chinese espionage actor associated with Operation Soft Cell. The specific group is also known as Gallium and has traditionally targeted unpatched, internet-facing services. The latest campaign followed the same modus operandi with the goal of obtaining footholds within targeted telecom networks.

Methodology used by the threat actor during the attack

Once a foothold had been established, the attackers conducted various activities such as reconnaissance, credential theft, lateral movement, and data exfiltration. The attack was carried out with careful consideration to ensure maximum stealth and long-term access.

History of Operation Soft Cell targeting telecommunications providers

Operation Soft Cell has been running since at least 2012, primarily targeting telecom providers in Asia, Europe, Africa, and the Middle East. The main objective of the campaign is to access customers’ call records, messages, and other sensitive communication data. The group is known for stealing data and remaining undetected within systems for spans of up to five years.

Use of tools by the threat actor such as Mimikatz and PingPull

The Soft Cell threat actor utilized various tools, such as Mimikatz and PingPull, in its espionage campaigns. Mimikatz is a well-known credential theft tool used to obtain access to sensitive network resources. PingPull is a backdoor employed in a variety of campaigns with stealth capabilities that are difficult to detect. The use of these tools points to the advanced capabilities of the threat actor.

Focus on custom toolsets to maintain stealth

The central aspect of the recent campaign was the deployment of a custom variant of Mimikatz called mim221. This variant packed additional anti-detection features. The group also employed special-purpose modules that implemented advanced techniques, indicating their dedication towards weaponizing infrastructure to the fullest extent to avoid detection.

Detection and prevention of the attacks:

The recent cyber attacks in the Middle East were eventually thwarted, and no implants were deployed on the target networks. With increased awareness, threat intelligence, and early detection, defenders are better equipped to stop cyber attacks. Telecom providers should take a layered approach to security, including:

1. Keeping all software up-to-date,
2. Blocking unnecessary ports on firewalls,
3. Utilizing two-factor authentication,
4. Monitoring for unusual network activity,
5. Deploying enterprise antivirus and network security solutions.

Likelihood of continued upgrades to evade detection

The Soft Cell campaign has been ongoing for close to a decade, however, the group does not appear to be slowing down anytime soon. The group could explore upgrading its tools with new techniques for evading detection, which will make the work of the defenders even more challenging.

With the current cyberattacks on telecom providers, the importance of cybersecurity has been highlighted. The recent attack in the Middle East by a Chinese espionage actor is another pointer to the need for a layered approach to security. The fact that the recent attacks were foiled shows that when organizations have proper security protocols in place, even sophisticated cyber threats can be detected before irreparable damage occurs. Lessons should be learned from this attack, and stakeholders should be vigilant against future threats.

Explore more