back to article What the cell...? Telcos around the world were so severely pwned, they didn't notice the hackers setting up VPN points

Hackers infiltrated the networks of at least ten cellular telcos around the world, and remained hidden for years, as part of a long-running tightly targeted surveillance operation, The Register has learned. This espionage campaign is still ongoing, it is claimed. Cyber-spy hunters at US security firm Cybereason told El Reg on …

  1. Sanctimonious Prick
    Mushroom

    Pretending Yanks

    Why do the Yanks consistently blame someone else, and give them names, as if to give more credence to their claims? Fuck you, America. Lying sons of bitches! We, the people, do not forget your claims about Iraq having weapons of mass destruction. Lying. Thieving. Cunts!

    1. Anonymous Coward
      Anonymous Coward

      Re: Pretending Yanks

      Those Chinese trolls are getting terribly rude :-)

    2. Anonymous Coward
      Anonymous Coward

      Re: Pretending Yanks

      Speaking of Yanks, I heard, and you're not going to believe this, that someone had succeeded in setting up something called FaceFriend where people voluntarily gave all their personal details, location, links to others, messages etc.

      Of course they pretended that it was somehow secure and only good people would access it but it seemed a lot easier than going to the hassle of actually hacking something.

    3. Throatwarbler Mangrove Silver badge
      Holmes

      Re: Pretending Yanks

      Username checks out.

    4. Anonymous Coward
      Anonymous Coward

      Re: Pretending Yanks

      Actually, the US knew that there were weapons of mass destruction because they had sold them to Iraq and had copies of the receipts. What they didn't know is that Sadam had already used them or otherwise disposed of them before the war. The only thing the US found after invading was one nerve agent artillery shell in an armory that was probably missed when Sadam did the purge, which while it qualifies as a WMD it certainly wasn't what was claimed.

      1. Chairman of the Bored

        Re: Pretending Yanks

        Agree there was no active CBW factory around; looks like the UN did take care of business after Gulf I. But there was a hell of a lot more than one sarin shell going walkabout. See:

        https://www.nytimes.com/interactive/2014/10/14/world/middleeast/us-casualties-of-iraq-chemical-weapons.html

        Frequently it seems IED makers would grab whatever they could scrounge from an ammo dump or on sale at the souk and make some bang out of it ... Sometimes not realizing that they were playing with a mustard shell instead of HE. Kind of an accidental CW attack.

        Hundreds of servicemen exposed. Good luck trying to get long-term treatment through the Veterans' Administration...

    5. Chairman of the Bored

      Re: Pretending Yanks

      So I guess you didn't read the Chilcot report, eh?

      What happened here I think is a case of looking for signal in the noise so hard, you can see anything you want to see. Washington and London were both hooked into the same bullshit feed ... from the same sources ... and asked each other for confirmation. And got it. Intelligence sharing is only a good idea if you've actually got something unique.

      Proud veteran of Operation Enduring Cluster Fuck...

    6. Anonymous Coward
      Anonymous Coward

      Re: Pretending Yanks

      Wasn't it our very own Blair who pushed the WMD narative?

      Fair enough, the Americans were quick to accept such information without due dilligence, but it was more our screw up than theirs.

      Or at the very least, that's one offensive war we can't claim any moral highground on.

  2. Anonymous Coward
    Anonymous Coward

    But why would they need to go through an IIS server to hack the telco networks, there is huewei equipment..... Oh right sorry...

    1. Doctor Syntax Silver badge

      It's a subtle, long-term game to set up a pretended hack via Windows to cover up the fact that they were extracting data via compromised Huawei. At least I'd expect that's how the US administration will spin it.

      1. Anonymous Coward
        Anonymous Coward

        The IIS server was probably running on the machine that ran the element manager for the huawei hardware :D

    2. JetSetJim Silver badge

      Huawei might be the equipment vendor for the network, but the detail being sought is not likely on their kit but instead on central servers running billing and geopresence software which is unlikely to be Huawei. The network infrastructure had the ability to trace an individual (or more) IMSI, but that will in itself leave traces (assuming it's done by accessing the legal intercept interface), but this set of attacks send more against the customer account data, which is held elsewhere.

    3. Anonymous Coward
      Anonymous Coward

      Offense in depth?

  3. Anonymous Coward
    Black Helicopters

    "outside North America"

    Oh really.

    Operating "like" the Chinese hackers.

    Nothing found in the USA......

    Any references to MAGA found yet??

    1. ibmalone Silver badge

      Re: "outside North America"

      Who knows; maybe USA wasn't looked at, maybe there's an entire different team of hackers assigned to the USA, maybe north American equipment is too antiquated to run a VPN.

      1. phuzz Silver badge
        Devil

        Re: "outside North America"

        Don't US telecos just sell information about their customers? No need to hack anyone when you can just pretend to be a bounty hunter.

        1. Phil 54

          Re: "outside North America"

          Why even bother pretending?

          As far as I can tell, you don't even need a license to be a bounty hunter in most parts of the USA

      2. Marshalltown

        Re: "outside North America"

        Antiquated equipment is probably right. One of the hazards of being an "early adopter" is finding your self on the trailing edge of the wave as time passes. Also "not looking" is a good bet. US telcos often take a very negative approach to being told their network has problems, like having the messenger jailed.

  4. Pascal Monett Silver badge

    "it is not something you can prepare against"

    Nonsense. Now that they know, they will be preparing against. How they will prepare I have no idea, but the first step is rather obvious : control all VPN connections and make sure they're all legit. Then, I'm guessing, go and forbid VPN connections on all computers that shouldn't have it, for example with a firewall or something.

    And using the David vs Goliath reference is rather poor form - David won, and David is supposed to be the telcos.

    1. Anonymous Coward
      Anonymous Coward

      Re: "it is not something you can prepare against"

      What's to say it'll actually look like a VPN? I'm just a sysadmin who in his spare time wrote something that works fairly reliably over the Great Wall of China so dedicated hackers would likely be able to create a protocol that could look like anything they want it to look like.

    2. Anonymous Coward
      Anonymous Coward

      Re: "it is not something you can prepare against"

      control all VPN connections and make sure they're all legit.

      There are multiple ways to set up covert channels for export and for command and control. I would indeed close the door on any unknown protocol, but you can also piggyback on a known port/service.

      By the way, I presume this could become a way harder problem to solve with IPv6 with its support for extensible headers.

    3. Mark Manderson

      Re: "it is not something you can prepare against"

      ahh but David has to give a flying toss to be effective against them and ...they dont!

  5. Anonymous Coward
    Anonymous Coward

    Ah....white hats and black hats.....

    .....no such distinction! Typical misinformation put about by the modern STASI (...sorry, modern NSA, modern GCHQ, modern Russians, modern Chinese...all the same....all undermining civil society!) See "Network" for details!

    1. Alan Brown Silver badge

      Re: Ah....white hats and black hats.....

      "There are, always and only, the bad people, but some of them are on opposite sides"

  6. Anonymous Coward
    Anonymous Coward

    What answer you get depends on whom you ask

    "Cyber-spy hunters at US security firm Cybereason told El Reg on Monday the miscreants responsible for the intrusions were, judging from their malware and skills, either part of the infamous Beijing-backed hacking crew dubbed APT10 – or someone operating just like them, perhaps deliberately so".

    I can't help wondering what a Chinese or Russian security firm might have said, had anyone asked them.

    1. LDS Silver badge

      Re: What answer you get depends on whom you ask

      Of course it depends from what point of view you look at the internet from - do you believe Chinese state hackers attack Chinese targets, Russian state hackers Russian targets, and US state hackers US targets?

      1. Flywheel Silver badge

        Re: What answer you get depends on whom you ask

        do you believe ...Russian state hackers Russian targets

        Hmmm.. you might have to ask the people of Ukraine about that.

      2. Anonymous Coward
        Black Helicopters

        Re: What answer you get depends on whom you ask

        Several wars have been started by one side targeting their own forces via spec ops, and then pinning the blame on the other side.

        My money is still on either the NSA or CIA though.

    2. Anonymous Coward
      Anonymous Coward

      Re: What answer you get depends on whom you ask

      "I can't help wondering what a Chinese or Russian security firm might have said, had anyone asked them."

      Or someone in a smaller, more neutral country who found such stuff on its network.

      And for the person who asked about countries spying on their own: Yes - all the damned time - but unlike the opposition they can rock up to the Telco with a secret interception order and tell them to "do this now and if you tell anyone, you're going to jail" (It's been 30+ years since this happened to me, but anon nonetheless)

      These days they just have permanent connections into the telco network core that they can switch around at will and without anyone at the telco knowing what's being snoop on, or when. The existence of "secret NSA rooms" at AT&T facilities across the USA are well known - the secret part is what happens inside.

      1. Anonymous Coward
        Anonymous Coward

        Re: What answer you get depends on whom you ask

        Worked on that too, but in the days that it needed at least a pile of paperwork (the incentive for the telco to keep records was because intercept is a chargeable service).

        The thing is, a telco doesn't have a choice. The ability to intercept ongoing communication is something that is explicitly written into a telecommunications license, in any country in the world.

        Not that this defends a deplorable enthusiasm of some to actively engage in this, but it is a condition sine qua non to get a license.

      2. caffeine addict

        Re: What answer you get depends on whom you ask

        This is what amuses me so much about the Huawei stuff. Every nation pressures it's own countries into doing what they're told.

        The only difference is that China wrote it into law rather than keeping it an open secret.

    3. vtcodger Silver badge

      Re: What answer you get depends on whom you ask

      Ask the Chinese. Answer: 不是我们。可能是火星人 (translation per Google: "Not us. Probably Martians"

      1. Anomalous Cowturd
        Trollface

        Re: What answer you get depends on whom you ask

        Ask the Chinese. Answer: 不是我們。 可能是美國人 (translation per Google: "Not us. Probably Americans"

        Fixed that for you. ;o)

  7. Alan Brown Silver badge

    "Such lulls in activity are not unprecedented, particularly when it comes to hacking groups from s/China/govt organisations/ "

    There, FTFY

    TBH I wouldn't be at all surprised if this was Nork in origin, or even one of the larger narcogangs - they all have an interest in knowing who's talking to whom and when.

  8. chuBb. Silver badge

    VPNs would be easily overlooked its not that egregious to have missed it

    Not surprised at all that VPN's got missed, why? Its mobile (cell) phone telco(s) lost or out of date paper work seems to be indemic at all telco's who is to say that the new VPN isnt a remote cell station for a VIP, or a temporary one for an event. Very much doubt OPs would pull the plug with out full ass covering paper trails, just incase it put them downwind of the fan...

    Plus its a telco, and way to much trust is put into point to point connections between customers and carriers, why yes because we configured it at both ends and have a contract, their is no need for more security or even white listing known gateway IP's, they just would rather pretend that they still own the wires and control all access, rather than be conduits for others to run their services on top of

    So usual nonsense of modest security at the front end, and once you cross that magic employee's only line all notions of security go out the window...

    1. Alan Brown Silver badge

      Re: VPNs would be easily overlooked its not that egregious to have missed it

      "So usual nonsense of modest security at the front end, and once you cross that magic employee's only line all notions of security go out the window..."

      Yup - and THAT is why caller-ID spoofing is so trivial for any company which cares to do the paperwork and connect its own kit. Along with malicious call rerouting, or hijacking entire number ranges from halfway around the world (Nuiean and Chilean area codes being used for London-based porn lines at one point in the late 1990s...)

      If you thought BGP security was bad, you aint seen telcos.

      1. chuBb. Silver badge

        Re: VPNs would be easily overlooked its not that egregious to have missed it

        Unfortunatly i have seen telco's security upfront (disclosure i work for a small security orientated telco) without naming names once you have swapped BGP routes or got the fibre lit your pretty much free to do what ever you want.

        Any of our carriers that wont offer us a TLS enabled trunk get shunted to the dmz on the dmz for them, usually their excuse is that their is no business need or that the overpriced SBC at their end doesnt support TLS (to which i retort, kamailio its open source and perfect for TLS offload, just doesnt have a "friendly" GUI which requires you to run java 6* to access it (which is also why i have never bothered to learn anything but the CLI for any network or security gear and kill the noddy interface at first power on, seriously first command i learn once default passwords have been changed is how to kill the web interface))

        *The irony that certain unloved/unpatched cisco ASA's would force you to open that massive a security hole to configure the firewall using the noddy interface is not lost on me, especially when a former head of security i worked with wouldnt configure the devices any other way even though the majority of his other sec policies were sane....

        1. Anonymous Coward
          Anonymous Coward

          Re: VPNs would be easily overlooked its not that egregious to have missed it

          Someone who knows how to set up Kamailo costs, rather than makes, money.

          This is telecoms darling, that just won't fly.

  9. Anonymous South African Coward Silver badge

    This reminds me of Masters of Deception by Michelle Slatalla

    https://www.goodreads.com/en/book/show/984598.Masters_of_Deception

  10. Anonymous Coward
    Anonymous Coward

    It's very simple. (I'll bill you later).

    Did you build it ? If not, you can't trust it. Encrypt everything to *your* requirements before you use it. Job done.

    $100,000

    1. Marshalltown

      Re: It's very simple. (I'll bill you later).

      Years ago there was a discussion about this. One author pointed out that even with the cleanest source in the world, if the compiler is compromised, then it can install a back door in the executable. In fact, you even could have the compromise buried in the hardware bios.

      1. JimmyPage
        Thumb Up

        Re: Years ago there was a discussion about this

        Yes, I took part in it. And received massive downvotes when I pointed out that even if you wrote the compiler, unless you had designed the bare silicon yourself you still had no guarantee of security.

        Then Meltdown and Spectre came along and I had a couple or directors call me in to ask "how did I know" so far in advance (because I'd also written it into a weekly summary I did around 2011). I didn't "know". I just pointed out that there could be all sorts of vulnerabilities in the CPU itself, so there was a limit to how "secure" you could get.

        I stand by that.

  11. sitta_europea Silver badge

    One of the problems is the firewall mentality.

    Historically, firewalls just stop stuff getting in.

    Nowadays, it's at least as important to stop stuff getting out if for no other reason than GDPR.

  12. Nick Kew

    Refreshing

    or someone operating just like them, perhaps deliberately so

    US security firm takes the perfect impartial approach. Tells us what it looks like, but reminds us that "false flag" is also entirely plausible.

    This is a sharp and refreshing contrast to the nonsense we expect from politicians and TLAs. A welcome reminder that most of the private sector is still capable of existing outside of government conspiracy.

  13. Anonymous Coward
    Anonymous Coward

    Hackers infiltrated the networks of at least ten cellular telcos around the world

    The question is which telco's.

    If it's any of the top 10 telco's in any first or second world country, I would be concerned. Even most of the third world countries top 1 or 2 telco's would worry me.

    If it's some Ma and Pa virtual network operator running out of the back of their house with the whole thing held together by chicken wire and the wife's brothers best friends cousin, I'd be less concerned. They're are probably just providing cheap long distance calls as part of a money laundering operation or providing call fowarding for SPAM anyway.

    As for VPN traffic not being noticed, a suspect they either depend on VPN's for all their support (external support for small organisations) or they just don't have anything in place to control/monitor the traffic. This is why the size of the company is important in judging how serious these breaches were.

    It's a wake up call for ALL telco's to improve their general security - while they may have solid security practices, the telco's they integrate with may not be as careful.

    1. ThatOne Silver badge
      Devil

      Re: Hackers infiltrated the networks of at least ten cellular telcos around the world

      > It's a wake up call for ALL telco's to improve their general security

      It's a wakeup call for all Telcos to polish their "Our customers' security is very important to us" line, just in case.

      Why would they all of a sudden start throwing perfectly good money out of the window? Did those hacked Telcos lose any money? No, not a cent, so why bother?

  14. Gnosis_Carmot

    Name the telcos

    That way people know who to avoid doing business with.

  15. Anonymous Coward
    Anonymous Coward

    Tired of these claims

    Think people are missing something very important. A company has claimed!

    If I started my own cyber company and wanted to be noticed I could make some very bold claims that I was responsible for uncovering a major hacking operation spanning the globe.

    No telcos named. What is the likelihood that all 10 telcos would cooperate with said company? Calling bullshit on this one. Name-drop chinese hackers to try and get more publicity

    1. Doctor Syntax Silver badge

      Re: Tired of these claims

      "No telcos named" says an A/C

  16. caffeine addict

    Name and shame

    Did I miss something, or is there no hint of names or regions in the article or press release?

    Was this Tinpot Telecoms on a pacific island, or one of the international mega-telcos affecting data in multiple countries?

    1. Marshalltown

      Re: Name and shame

      No, you did not. The most geographically explicit statement was that all the telcos were outside North America.

  17. Weiss_von_Nichts
    Paris Hilton

    I don't get it

    They set up VPN do avoid the lag caused by hacked boxes? AFAIK a VPN needs two endpoints. One of them would obviously be located inside the target's network. But where if not on a hacked machine? You need to hack it to create the endpoint since you can't just leave it bumbling in the ear. So where's the difference betweed a rogue VPN machine and a hacked one?

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't get it

      One doesn't raise suspicion when once you've cleared up your initial infiltration and set up a long term Comms path such as an OpenVpn deamon on a box that isn't updated 'because it's telecoms equipment, it's good for twenty years'.

      The other *might* get picked up by the daily rkhunter scan, assuming even that's installed....

  18. ExpatZ

    Vault 7, all you need to know to finger the first suspect for investigation.

  19. spold

    Mitigation...

    Terrible state of affairs... can't have that old chap...

    We are going to need to access and monitor your networks to make sure they are secure.

  20. Anonymous Coward
    Anonymous Coward

    It's what it is

    The more each country knows about the other's secrets, the less likely these countries can take advantage of them for nefarious purposes. If "A" country has XYZ on "B" and "B" has ZXY on "A", and both know it, then there is less risk of someone making a mistake. That is why, James Bond aside, the elimination of each other's spies is not considered good form. In the 1980's, two single actions had more to do with ending the cold war than all the treaties combined. The first was the cover of a National Geographic magazine showing the underground aquifers of the Nile River taken using new ground penetrating satellite based radar - the Russians said "O Fucski, this means they can see where every one of our underground missiles and hidden airbases are". The second was a Russian development having to do with being able to detect even tiny displacements in ocean surfaces from space - The Americans said "O FUBAR, this means all our missile submarines are visible."

  21. John Smith 19 Gold badge
    Unhappy

    Doesn't say much for the telco's internal IT staff, does it?

    Jeez, setting up their own VPN FFS.

    Sleeping watchdogs

    Plastic policemen etc.

  22. Anonymous Coward
    Anonymous Coward

    And what else is new?

    I work in telcos for some time and I know that everything is hacked one way or the other.

    Governa oblige telcos to tap networks, even if unconstitutional, and even the most respectful countries do it, and if you fail to provide what they want, your license is revoked. At least the Chinese and Russians are honest and the rules are clear and written in the law.

    This aside you don’t need to be super sufisticated hacker, how many telcos do a proper background checks on their employees? How many actually have some control? Plenty of cases that employees leave the companies and still have valid and valuable information that can be used easily, as for network admins, is common they leave backdoors like vpn themselves, even to do basic stuff like running torrents at nice speeds. Trust me this is way more common than you think! So would be a piece of cake to get someone employed to do this. Telcos are struggling to get people to work, there is a shortage, so they accept anything these days, and there are very commonly brainless people with privilege access, the service delivery teams is the optimum place, little control, highly transactional, large teams and core access to provision new services, that could very well be a vpn somewhere, no one will notice.

    Then there are the poor security practices, starting by lazy leadership that are always the first to break the rules. Typical case all employees have a windows laptop with ad and gpos... except all board of directors and senior leadership that want a Mac and the company can’t monitor those devices properly, but who is going to say the boss is stupid and putting the company at risk?

    Finally there are all the backdoors and exploits that can be used in endless tons of old and out of support equipment. Telcos have thousands and thousands of devices out there, is impossible to have the resources to efficiently update the devices, not to mention that that requires planned works and sign off from stake holders, customers and whatever more because of the SLAs and the ITIL processes.

    All of this to say that hacking telcos, specially the big ones, is a walk in the park and even a regulator requirement, leave the poor Chinese be :)

    1. ThatOne Silver badge
      Devil

      Re: And what else is new?

      > leave the poor Chinese be :)

      Hey, without a proper bogeyman, people will look up and notice things they shouldn't. You need a fully functional bogeyman, and you need to keep reminding people he's there, and he should be the sole focus of their worries.

  23. RunawayLoop

    Hacker of the day goes to ...

    China

    North Korea

    Iran

    Rotate as per the flavour of the day

  24. Astyanax

    North American networks weren't affected not because of any kind of "superiority" or lack thereof but maybe because the hackers knew none of the targets were in North America and simply didn't need to hack into them.

  25. Astyanax

    North American networks weren't affected not because of any kind of superiority but maybe because the hackers knew none of the targets were in North America and simply didn't need to hack into them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021