?

Operation Soft Cell: The Cybersecurity Threat Targeting Telco and Critical Infrastructure Companies

What to know about one of the more serious threats discovered in the last few years.

What is Operation Soft Cell?

While it may sound like the answer to an ‘80s trivia question, Soft Cell in the context of cybersecurity is a much more serious matter.

Operation Soft Cell is an advanced, ongoing cyber threat that has targeted telecommunication providers since at least 2017. There are indications it may have been active as early as 2012.

Yet Soft Cell wasn’t discovered until 2018, when researchers on Cybereason’s Nocturnus team first observed, identified and made public the largest nation state attack on the telco industry exposed to date.

For a deep dive into their research and methodology, check out Cybereason’s article on the subject. For a primer with the experts, listen to my discussion with Cybereason’s Israel Barak and Maor Franco on WWT’s TEC17 podcast.

Why is Soft Cell important?

Operation Soft Cell is significant because the threat actor, very likely sponsored by the Chinese government, gained and maintained deep access to the networks of at least a dozen global telco providers over multiple years.

Once networks were compromised, attackers surveilled the sensitive call detail records (CDR) of mobile phone users — perhaps more than a billion — in hopes of stealing valuable active directory data, meaning usernames, passwords and other personally identifiable information like billing data, credentials, email servers and user location. They also gathered information about critical industry architecture and infrastructure.

Exposing this attack was incredibly important because it gave the world a glimpse into the tactics bad actors might use to operate against critical infrastructure providers. These targeted attacks came in persistent waves with detected threads abandoned one day only to be revisited months later with new tools and techniques.

Understanding the modus operandi of such attacks enables companies like WWT and Cybereason to develop defensive countermeasures and mitigation strategies.

Are you vulnerable?

You’re probably asking how to tell if you’re vulnerable to Operation Soft Cell or attacks like it.

As workforces continue to become more mobile and networks more dispersed, traditional enterprise network perimeters have disappeared. On top of sophisticated attacks like Soft Cell, today’s companies face growing attack surfaces from the proliferation of endpoint devices, explosive data growth and a pervasive lack of integration between security solutions.

Unfortunately, persistent, opportunistic attacks like Soft Cell should worry any organization that stores valuable data in ones and zeros. This sort of attack can affect every industry, vertical and company size. In fact, Cybereason’s research into Soft Cell’s origins has produced evidence that the attackers have very likely targeted different types of critical infrastructure companies, including energy, transportation, financial and healthcare enterprises.

To understand how vulnerable you may be, let’s take a step back and revisit a few basic but important questions:

  • Do you know what’s on your network?
  • Do you know what it’s doing?
  • Do you know if it should be doing that?

Unless you have the security strategy, architecture and maturity in place to confidently answer these questions, your business likely has some level of vulnerability to an attack like Operation Soft Cell.

How WWT and Cybereason can help

WWT and Cybereason have formed a partnership to drive our customers’ desired business outcomes through holistic, long-term security solution development that can systematically mature your security posture, architecture and IT hygiene.

The focus of our partnership is simple: to offer customers security solutions that enhance pre-breach detection, endpoint security, visibility and the ability to quickly respond when a security event occurs.

Cybereason, creators of the leading Cyber Defense Platform, gives the advantage back to you — the defender — through a new approach to cybersecurity. They offer endpoint detection and response (EDR), plus next-gen antivirus and active monitoring services, powered by their cross-machine correlation engine and proprietary AI hunting engine. Cybereason’s suite of products provides unmatched visibility, increases analyst efficiency and effectiveness, and reduces security risk.

That’s why WWT created a Cybereason Lab within our Advanced Technology Center (ATC). Customers can use this unique sandbox environment to evaluate and demo Cybereason security solutions across a wide variety of endpoints, architectures and custom environments.

WWT also offers a Cyber Posture Assessment, powered by Cybereason, to give you actionable intelligence about your existing security operations coupled with an in-depth assessment of your overall breach readiness.

Parting advice on Soft Cell

To close specific gaps related to Soft Cell vulnerability, WWT and Cybereason encourage you to reach out to discuss how taking the following steps might improve your readiness:

  • Adding an additional security layer to your web servers (e.g., using a Web Application Firewall [WAF] to prevent trivial attacks on internet-facing web servers).
  • Exposing as few systems or ports to the internet as possible while making sure all exposed web servers and services are patched.
  • Using an EDR tool to give visibility and immediate response capabilities when high-severity incidents are detected.
  • Proactively hunting for sensitive assets in your environment.

To learn more about whether you’re vulnerable to Operation Soft Cell or attacks like it, reach out to WWT for a Cyber Posture Assessment or an in-depth Cybereason Lab.