We reported a week ago that a US/Israeli company, Cybereason, believed an organisation “backed by an unnamed nation” had been “stealing customer data and call data records (CDRs)” from operators worldwide. Cybereason said the project was called Operation Soft Cell and, according to its website, “Operation Soft Cell has been active since at least 2012”.
Other news outlets carried similar stories. All of us had been offered interviews with senior executives of Cybereason, on the condition that nothing was published before the morning of Tuesday 25 June. Our interview, conducted on Monday afternoon, was with Mor Levi, the company’s VP of security.
Levi told us in that interview that the alleged – but unnamed – culprit behind Operation Soft Cell is backed by a nation state, and she pointed to similarities to the so-called APT10 [advanced persistent threat] attacks which have been linked to the government of China. However Levi was unwilling to point her finger at China: “A lot of these tools were leaked a few years ago.”
There’s an intriguing difference between her comments to Capacity and the reports by other publications. The Wall Street Journal’s report began: “Hackers believed to be backed by China’s government …” The Reuters news agency, in a report picked up by news media worldwide, identified “links to previous Chinese cyber-espionage campaigns” but was careful not to blame the Chinese state – though people using Twitter to link to the reports were not so careful.
Reuters also quoted a denial from China’s foreign ministry: “We would never allow anyone to engage in such activities on Chinese soil or using Chinese infrastructure.”
Fox News showed no caution. “Chinese likely behind worldwide attacks on telecommunications providers,” it said in the headline to its report, which began: “Recent attacks on telecommunications providers have raised ire around the globe, including questioning who is behind them.”
Capacity, though, has found no such signs of “ire around the globe”; neither has there been any sign of “questioning who is behind them” – at least, until after last week’s report appeared.
After we published our report online, Capacity sent a link to more than a dozen significant operators worldwide, including Deutsche Telekom, Orange, Telstra and Vodafone – to the headquarters of the groups, not national branches – as well as to the GSMA, which represents virtually all operators in the world.
We offered all of them the chance to comment with or without attribution. Some said they didn’t want to have their names used.
But no one knew anything about any attacks claimed in the Cybereason report, though Levi told us Cybereason had informed companies, whether they were its clients or not.
One company phoned to say “there have been no attacks on us”, though it confirmed it had heard of Cybereason. The company added by email later: “Given that we are not affected, we don’t consider it appropriate to comment on the matter.”
Another company said: “We are aware of the report by Cybereason, and to our knowledge [company name withheld] is not one of the companies the report refers to. Regardless, we take the information in it very seriously and are investigating and coordinating with vendors and industry peers.”
A1, formerly the Telekom Austria group, with operations across central and eastern Europe, said: “Our experts are not aware of any evidence that indicates that we are affected.”
Another company said, with some sarcasm: “Have you been able to find someone who has actually been helped by Cybereason?”
BT, which owns UK mobile operator EE, said: “We are aware of today’s reports of hackers targeting global telecoms providers. We’re actively investigating this issue across our estate, but have seen no evidence to suggest that BT has been compromised through these attacks.”
From Bonn, we received this: “Deutsche Telekom [has] had no contact with the American security company Cybereason in the past 12 months and is not the subject of the current report of this company.”
We received, from the London group headquarters of one of the biggest global mobile operators, this: “Cybereason has not been in contact with Vodafone regarding this report. More generally, cyber threats are constantly evolving and a key focus for our security teams. Security is our highest priority and Vodafone has an international team of cyber security professionals who continually monitor, protect and defend our networks.”
“Nothing here,” said the CTO of a North American mobile operator – though we weren’t surprised, as Cybereason said it had found no evidence from any company in North or South America (Levi couldn’t give any reason for this geographical absence).
But, consistently, across the replies, the answers were remarkably similar: “We haven’t been affected.” These weren’t random companies, but some of the biggest in the world.
And the other consistent factor was that the operators we contacted had not heard of Cybereason until the day that its report received so much coverage. No one said Cybereason had been in touch in advance – and this is at variance with what Levi told us last week.
One large operator, asking Capacity not to use their name, said: “Since yesterday [the day of the reports] we have had increased contact with the sales staff of Cybereason.” Those salespeople said “we – thank God – are not affected”, before “starting their sales talk in the next breath”.
But they wanted “to meet with all telcos” in the home country and the national government’s institution for information security in that country.
Capacity did contact the institution for information security in our home country, the National Cyber Security Centre (NCSC), an offshoot of one of the UK’s intelligence agencies.
We got the following reply, attributed to a spokesperson for the NCSC: “APT10 is a threat actor acting on behalf of the Chinese Ministry of State Security who are known to have been active since at least 2009.
“In 2017 its targeting of several global managed service providers [MSPs], giving it extensive access to the networks of organisations worldwide, was widely reported by the NCSC and industry partners.
“When that attribution was made in December 2018, the NCSC confirmed being aware of malicious activity affecting UK organisations across a broad range of sectors, likely conducted by APT10. This activity will almost certainly have been facilitated by the group’s targeting of MSPs, as well as other outsourcing providers.”
There was, note, no specific reference to mobile telecoms operators in that statement.
We turned to the GSMA, which represents more than 750 mobile operators worldwide, from Afghan Telecom to Zimbabwe’s Telecel. “We’re monitoring the situation closely, but we are not issuing any public statement at this stage,” we were told.
Is the GSMA aware of Cybereason? “We are now,” was the reply, apparently confirming that even this vast organisation hadn’t had any previous exposure to the authors of this report about “a global operation” against mobile operators.
Where else could Capacity turn? The Information Commissioner’s Office (ICO) is the guardian in the UK of the General Data Protection Regulation (GDPR), which came into force in May 2018 across all 28 members of the European Union (EU). And, yes, the UK is still a member of the EU, until at least the end of October 2019. Even if the UK were to leave, its enactment of GDPR is as strong as the other 27 countries’ laws.
The law across the EU says that any company that becomes aware of a data breach has to disclose it to its national data protection office within 72 hours – not three working days, and there is no allowance for weekends or public holidays.
The fine for any company failing to report a breach is up to €10 million or 2% of group turnover, or – if it’s a more serious incident – twice that.
So we asked the ICO in the UK if it had received any reports from UK mobile operators – BT’s EE, Telefónica’s O2, Three or Vodafone – of any such illegal access to CDRs, as reported by Cybereason? And did it know of any such breach in any other EU country, from its opposite numbers or from other sources?
But the ICO was clear. It knew of no reports from operators of illegal access to CDRs.
So what are we to make of it all? Millions of people across the world – in the telecoms industry and outside it – have heard of Cybereason now, where they hadn’t heard of the company last week. But no one, absolutely no one, that Capacity contacted since the report appeared could point to any instance of any attack.
Maybe whoever is behind APT10 has been focusing on small operators, recognising that bigger telcos are better protected. But that wasn’t made clear last week.
After talking to so many people across the industry, we approached Levi again and, separately, Cybereason’s PR contractor, London-based Eskenzi PR, which organised last week’s phone briefing, with a request for clarification. In her brief reply, Levi also directed us to Eskenzi PR.
Eskenzi offered this quote from Lior Div, CEO and co-founder of Cybereason: “Operation Soft Cell is an open investigation today. To date there are no indications that cellular providers in the UK have been breached. However, this is an ongoing investigation and we are gathering a lot of information and data regularly. This is a massive scale breach and all of the impacted cellular providers were notified by us about our findings. In the past 10 days we have briefed the 75 largest telecommunications providers in the world on our investigation.”
If indeed “all of the impacted cellular providers were notified”, we didn’t come across any of them. We asked to be put in touch with an operator that had been targeted, so we could ask about it, though we promised not to reveal the operator’s identity.
Div ignored this request in his reply, forwarded via Eskenzi PR. So we still don’t know. If you have been affected, please get in touch – alan.burkitt@capacitymedia.com
Cybereason has a YouTube interview with members of the team here.