Operation Soft Cell - a worldwide campaign against telecommunication providers

Presented at VB2019, Oct. 2, 2019, 4 p.m. (30 minutes)

In 2018, we investigated what seemed to be a single breach in a large telecommunications company. In the process of assessing data from the breach, we began to see signs of a larger attack campaign and identified the attacker as a nation state actor. Over the course of six months and through multiple waves of attacks, we were able to observe the tools and methodologies used by the attacker, recognize what data they were after, and at times watch the attacker operate on the network with admin privileges. We were able to determine that this attack was far more widespread and far reaching than it appeared. By using various techniques such as OSINTing and cross-correlating data from tools dropped by the attacker across multiple threat intel platforms, we discovered that the attack was part of a much larger, broader campaign against telcos.

Presenters:

• Assaf Dahan - Cybereason
  Assaf Dahan Assaf has over 15 years in the infosec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where he developed extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis and reverse engineering.
• Mor Levi - Cybereason
  Mor Levi Mor Levi has more than eight years of experience in cyber investigations, incident response, and SIEM/SOC management. She began her career as a team leader in the Israeli Defense Force security operation centre. Later, she led an incident response and forensics team at one of the big four accounting firms providing services to global organizations.
• Amit Serper - Cybereason
  Amit Serper Amit leads the security research at Cybereason's Noctornus group in the company's Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS. He also has extensive experience researching, reverse engineering and exploiting IoT devices of various kinds. Prior to joining Cybereason four years ago, Amit spent nine years leading security research projects and teams for an Israeli government intelligence agency, specifically in embedded systems security (or lack thereof). @0xAmit

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/operation-soft-cell-worldwide-campaign-against-telecommunication-providers
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-SerperLeviDahan.pdf
• https://www.virusbulletin.com/virusbulletin/2019/12/vb2019-paper-operation-soft-cell-worldwide-campaign-against-telecommunication-providers/

Similar Presentations:

• VB2019 / Asterisk: a targeted VOIPspionage campaign
• DeepSec 2019 „Internet of Facts and Fears“ / The Turtle Gone Ninja - Investigation of an Unusual Crypto-Mining Campaign
• REcon 2022 / OopsSec -The bad, the worst and the ugly of APT’s operations security