Last week, Israeli cybersecurity company Cybereason notified 25 mobile carriers around the world that they had been hit, or that there were grounds for suspecting that they had been hit, by a severe cyberattack. The warning followed an investigation by the company over the past nine months during which cyberattacks on twelve carriers were discovered. According to Cybereason, the attack gave the hackers full access to the service providers' enterprise computer passwords and also access to full information on destinations of customers' calls and SMS messages and their locations.
The cyberattack was exposed, the company says, nine months ago at a mobile carrier with tens of millions of subscribers. Suspecting an attack, the company approached Cybereason, whose investigators deployed its systems on tens of thousands of endpoints, and after two days discovered the attack. The investigation continued for several months, and a few weeks ago Cybereason discovered that the attack was not limited to the company that had approached it, and that eleven more telecommunications companies were involved. The twelve providers serve a total of hundreds of millions of subscribers. The reason that the attackers hacked into several providers, Cybereason says, was to facilitate monitoring of their targets across countries and continents.
Cybereason co-founder and CEO Lior Div told "Globes" about how the affair unfolded. During his service in the IDF 8200 military intelligence unit, Div received the unit commander's medal for technology development.
"The first company that approached us told us that they had signs of an attack that they had not managed to connect to form a complete picture that would show whether or not they had indeed been attacked," Div says. "But the deeper we went, the more signs of an attack we found, and signs that connected all the other signs together. We discovered that the attacker had extracted a great deal of data and had encrypted the information, but we managed to spot the password he used because it was encoded within the malware that he used."
After deciphering the encryption, the company's investigators discovered a leak of information amounting to more than 100 gigabytes on twenty of the mobile carrier's subscribers. "There were millions of users on the network, but the attacker chose to extract information on specific users," says Div. "There were details of all of the calls made by a user, the SMSs that he or she sent, and all of the information about his or her location for six months. This information could be used to assemble a complete history of the people involved: where they live, where they travel every morning, when they park, whom they call, and to whom they send SMSs. This is a complete picture that makes it possible to monitor a person." The people followed were politicians and people in positions of authority, Div adds. The motivation for the surveillance was "not business. When one country attacks another, it is interested in very specific people in that country," he explains.
At no stage did the perpetrators reached the wireless devices of the people being followed, Div says. "If the user goes to an expert and asks whether his telephone has been broken into, they will tell him that the telephone is clean. The person has no way of knowing that he or she is under surveillance. After we went on investigating the matter, we saw that one of the tools inside the network had been there for seven years already, during which the attacker acquired more and more assets within the cellular network, and achieved complete control of it. All of the user names and passwords of all of the users in the organization, including the people responsible for controlling the network - the systems and the IT people. They could connect to any of the computers in the network, add a user, and delete a user," Div declares.
This capability made things easy for the perpetrators, Div explains. "Instead of breaking into the database each time in order to steal data, they installed a VPN on the billing server, which contained all of the information that they were interested in. They hooked up to it remotely, and on four separate occasions downloaded hundreds of gigabytes of information. In effect, the attackers operated like a spy ring," he says.
In order to track the attackers, Cybereason investigated how the attackers made inside and outside calls from the same network, and what infrastructure they used in order to carry out the attack. "What the attacker usually does is to replace the attack infrastructure each time, and they did this, but since they used fairly similar parameters, we managed to find the attack servers and the form of attack that they used. We discovered that they used similar infrastructure, or the very same infrastructure, to attack different companies. They took the same tools, packaged them, and used them again in order to take control of other networks," Div relates.
At this stage, which took place a few weeks ago, Cybereason contacted the CEOs or VPs information security in the affected companies, and told them that they were under attack. Last Saturday, they met with 25 more cellular companies in order to inform them about the details of the case. "We knew that some of the people in the room had definitely been under attack, but not all of them. When we could, we also contacted the authorities, such as the FBI in the US," Div says. "There are no Israeli cellular companies among these companies, but we're in touch with them, and we're helping them check whether they're under attack. We've been briefing anyone we could for the past week. This week, we'll tell the story on the stage at the Cyber Week 2019 conference at Tel Aviv University. We hope that we reach as many companies as possible, and that they do something about the matter."
Cybereason suspects that the perpetrators are Chinese. The company identified tools and a style corresponding to a Chinese attack group named APT10, although because of the too great similarity, Cybereason does not rule out that an imposter is seeking to put the blame on the Chinese. In any case, "The perpetrator is sophisticated, and has advanced cyber capabilities characteristic of countries. This is the first time that we have seen a specific attack group with access to many hundreds of cellular companies with the ability to conduct surveillance on hundreds of millions of users, and they use it in very specific cases to monitor specific users. We discovered that there was actually a country's intelligence network that could monitor any user of any of these companies for years. It is on the same scale as Snowden's leaks, which showed that the US was conducting surveillance on its citizens. So here, we have a country that is spying on everyone, not just its citizens. We assume that over the past seven years, many targets were replaced. They certainly didn't follow the same people every single time for 20 years," Div says. Furthermore, the potential damage from the capability acquired by the perpetrators is enormous. "They could make the entire cellular networks crash completely, and create chaos," he explains.
Div rules out the possibility that a security failure is involved. "The companies did everything they could against such an attacker," he says. "But if a foreign country wants to conduct surveillance, it can do so in the blink of an eye, and you will never know about it. The only way to prevent it is to use nothing cellular." Asked by "Globes" whether Israel has anything to worry about, he answered, "Israel has a sophisticated cyber setup with deep knowledge. In other countries we were in contact with, it isn't like that."
Cybereason was founded in 2012 by Div, CTO Yonatan Striem-Amit, and chief visionary officer Yossi Naar. The company has raised $190 million to date, and has over 400 customers, including Lockheed Martin, which also invest in Cybereason; Motorola, British airline Flybe; and the medical centers of RTI Surgical. Japanese investment fund Softbank joined the investors in Cybereason in October 2015 with an initial investment of $60 million, followed by an additional $100 million as part of a financing round in June 2017. Cybereason currently has 500 employees, half of whom are development personnel working in the company's development center in Tel Aviv.
Published by Globes, Israel business news - en.globes.co.il - on June 25, 2019
© Copyright of Globes Publisher Itonut (1983) Ltd. 2019