China wants your phone records.(Okay, China wants everything). Cybereason’s researchers uncovered an advanced, persistent attack targeting telecommunications providers over the course of several years, since at least 2012. The collected data can be presumed to be a part of the greater cyber espionage collection effort to facilitate future operations against China’s adversaries.

According to Cybereason, once they discovered the attack, they worked together with telecommunications providers to neutralize the threat. Pretty straightforward. Except, the Chinese were, in a word, persistent.

Cybereason ended up battling through four waves of attacks over the ensuing six months. While they were successful at battling back the attacks, there is no doubt information was compromised prior to the neutralization of the threat, given the longevity of the Chinese effort.

The Cybereason report, dubbed, “Operation Soft Cell” noted that the Chinese were in it for the long haul, as they created “rogue, high-privileged domain user accounts.” Once they were in, they took steps to ensure they stayed in for as long as possible.

what china was after

Once in, the following capabilities were put in place to facilitate the theft of data.

  • Screenshot grabber
  • Credential Stealer
  • File manager with upload and download
  • Keylogging and surveillance
  • Registry editor
  • Process monitor
  • Interactive shell

how the chinese exfiltrated data

Once the data they were seeking was identified and acquired, the Chinese needed to exfiltrate the data from the targeted infrastructure. To that end, they staged the data into unique, multi-part archives, which they then compressed and password protected.

Then these unique files (not in the archive of the infosec team) would be exfiltrated. In radio communications, frequency hopping is a technique used to avoid jamming and monitoring. The Chinese used the cyber equivalent, which bounced the exfiltration connection between ports and connections on different networks.

What was stolen

  • Source, destination and duration of a call
    • This permits the collation of inter-personal or -organizational connections
  • Device details
    • Identification of the devices being used
  • Physical location data
    • Geographic location, useful for collating travel patterns
  • Device vendor and version
    • Identification of service provider and version of operating systems provides reference points for future individualized attacks.

Another piece of China’s targeting pie

What this means for Facility Security Officers is that you and your cleared personnel may be within the corpus of data being created by the Chinese in the call data record collection. As noted above, this may provide the means to locate your traveling executives, your intra-organizational relationships and your interaction within your classified engagement. It is yet another piece of the Chinese targeting mosaic. 

An internal review on the depth of knowledge which could be acquired by tracking your cleared population’s locations and call data records may provide insight into the risk at hand.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of