Operation Soft Cell - a worldwide campaign against telecommunication providers

Wednesday 2 October 16:00 - 16:30, Green room

Amit Serper (Cybereason)
Mor Levi (Cybereason)
Assaf Dahan (Cybereason)

In 2018, we investigated what seemed to be a single breach in a large telecommunications company. In the process of assessing data from the breach, we began to see signs of a larger attack campaign and identified the attacker as a nation state actor. Over the course of six months and through multiple waves of attacks, we were able to observe the tools and methodologies used by the attacker, recognize what data they were after, and at times watch the attacker operate on the network with admin privileges. We were able to determine that this attack was far more widespread and far reaching than it appeared. By using various techniques such as OSINTing and cross-correlating data from tools dropped by the attacker across multiple threat intel platforms, we discovered that the attack was part of a much larger, broader campaign against telcos.
In this talk we will discuss the tools the attacker used, the techniques used to infiltrate, and how we were able to find campaigns against other companies by the same actor. Attendees will leave this talk knowing more about nation state-backed APTs, attacker TTPs, and our methodology for correlating data and uncovering such campaigns.

 Related links



Amit Serper

Amit leads the security research at Cybereason's Noctornus group in the company's Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS. He also has extensive experience researching, reverse engineering and exploiting IoT devices of various kinds. Prior to joining Cybereason four years ago, Amit spent nine years leading security research projects and teams for an Israeli government intelligence agency, specifically in embedded systems security (or lack thereof).




Mor Levi

Mor Levi has more than eight years of experience in cyber investigations, incident response, and SIEM/SOC management. She began her career as a team leader in the Israeli Defense Force security operation centre. Later, she led an incident response and forensics team at one of the big four accounting firms providing services to global organizations.



Assaf Dahan

Assaf has over 15 years in the infosec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where he developed extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis and reverse engineering.

   Download slides    Read paper

Back to VB2019 Programme page

Other VB2019 papers

Finding drive-by rookies using an automated active observation platform

Rintaro Koike (NTT Security)
Yosuke Chubachi (Active Defense Institute, Ltd / nao_sec)

Spoofing in the reeds with Rietspoof

Jan Sirmer (Avast Software)
Luigino Camastra (Avast software)
Adolf Středa (Avast software)

The art of the cashout: the evolution of attacks on payment systems

Saher Naumaan (BAE Systems Applied Intelligence)
Irving Méreau (SWIFT)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.