The telecommunications industry keeps the world connected. Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data. This makes them a top target for cyber-attack. According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before. Telecoms providers need to arm themselves against this growing risk.
Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers. The top threats currently targeting each of these frontlines feature many classic attack vectors, but with a new twist in terms of complexity or scale that place new demands on telecoms companies. These threats include:
- Distributed Denial of Service (DDoS) attacks.
DDoS attacks continue to increase in power and scale and, according to the 2016 Data Breach Investigations Report, the telecommunications sector is hit harder than any other. Kaspersky Lab’s research reveals that in Q2, 2016, the longest DDoS attack lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days), with vulnerable IoT devices increasingly used in botnets. Direct DDoS attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are hit. They can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomware attack.
- The exploitation of vulnerabilities in network and consumer devices.
Intelligence shows that vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root exploits for Android phones, all provide new channels for attacks – involving malware and technologies that individuals, organisations and even basic antivirus solutions cannot always easily remove.
- Compromising subscribers with social engineering, phishing or malware.
These classic techniques remain popular and can easily be mastered by entry-level cybercriminals, although 2016 sees changes in how more sophisticated attackers conduct their campaigns. Growing numbers of cyber-attackers now combine data sets from different sources, including open sources, to build up detailed pictures of potential targets for blackmail and social engineering purposes.
- Insider threat is growing.
Detailed profiles of targets are also used to recruit insiders to help perpetrate cybercrime. Some insiders help voluntarily, others are coerced through blackmail. Insiders from cellular service providers are recruited mainly to provide access to data, while staff working for Internet service providers are chosen to support network mapping and man-in-the-middle attacks.
Other threats facing telecommunications companies include targeted attacks; poorly configured access controls, particularly where interfaces are publicly available to any Internet user; inadequate security for 2G/3G communications; and the risk of telecoms providers being drawn into unrelated attacks that exploit telecoms resources, and suffering collateral damage as a result.
Typical threats targeting telecoms
We can divide the main threats facing the telecommunications industry into two, interrelated, categories:
- Threats targeting telecommunication companies directly. These include DDoS attacks, targeted attacks (APT campaigns), network device vulnerabilities and human-related threats like insider access, social engineering and the risk of allowing third parties to access information.
- Threats targeting subscribers of telecoms services – particularly the customers of cellular service providers (CSPs) and Internet service providers (ISPs). These include malware for mobile devices, subscriber data harvesting, end-user device vulnerabilities, and more.
The core infrastructure of a telecommunications company is a highly desirable target for cybercriminals, but gaining access is extremely difficult. Breaking into the core requires a deep knowledge of GSM architecture, rarely seen except among the most skilled and resourced cybercriminals. Such individuals can generally be found working for advanced, international APT groups and nation-state attackers, entities that have a powerful interest in obtaining access to the inner networks of telecommunication companies. This is because compromised network devices are harder to detect by security systems and they offer more ways to control internal operations than can be achieved through simple server/workstation infiltration.
Once inside the core infrastructure, attackers can easily intercept calls and data, and control, track and impersonate subscribers.
Unaddressed software vulnerabilities
Despite all the high profile hacks and embarrassing data leaks of the last 12 months, attackers are still breaching telecoms defenses and making off with vast quantities of valuable, personal data. In many cases, attackers are exploiting new or under-protected vulnerabilities. For example, in 2015, two members of the hacker group, Linker Squad gained access to Orange Spain through a company website vulnerable to a simple SQL injection with the aim to steal customer and employee data.
Vulnerabilities in network devices
Routers and other network devices are also primary targets for attacks against telecommunications companies.
In September 2015, FireEye researchers revealed the router malware “SYNful knock”, a combination of leaked privilege (root) credentials and a way of replacing device firmware that targets Cisco 1841, 2811 and 3825 routers (see Cisco advisory here).
Put simply, SYNful knock is a modified device firmware image with backdoor access that can replace the original operating system if the attacker has managed to obtain privileged access to the device or can physically connect to it.
SYNful is not a pure software vulnerability, but a combination of leaked privileged credentials combined with a certain way of replacing device firmware. Still, it is a dangerous way of compromising an organization’s IT infrastructure.
Even if you consider your critical systems and devices protected and safe, it is difficult to fully control some attack vectors. People rank at the very top of this list. Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness.
While insider-assisted attacks are uncommon, the impact of such attacks can be devastating as they provide a direct route to the most valuable information.
Examples of insider attacks in recent years include:
- A rogue telecoms employee leaking 70 million prison inmate calls, many breaching client-attorney privilege.
- An SMS center support engineer who had intercepted messages containing OTP (One-Time Passwords) for the two-step authentication required to login to customer accounts at a popular fintech company. The engineer was found to be freely offering his services on a popular DarkNet forum.
For attackers, infiltrating the networks of ISPs and CSPs requires a certain level of experience – and it is often cheaper and easier to stroll across the perimeter with the help of a hired or blackmailed insider. Cybercriminals generally recruit insiders through two approaches: enticing or coercing individual employees with relevant skills, or trawling around underground message boards looking for an appropriate employee or former employee.
Employees of cellular service providers are in demand for fast track access to subscriber and company data or SIM card duplication/illegal reissuing, while staff working for Internet service providers are needed for network mapping and man-in-the-middle attacks.
A particularly promising and successful attack vector for recruiting an insider for malicious intrusion is blackmail.
Data breaches, such as the 2015 Ashley Madison leak reveal information that attackers can compare with other publically available information to track down where people work and compromise them accordingly. Very often, these leaked databases contain corporate email addresses, including those of telecommunication companies.
The report covers the main IT security threats facing the telecommunications industry and illustrates these with recent examples. Threat intelligence is now a vital weapon in the fight against cyber-attack and this report will help telecoms providers to better understand the cyber-risk landscape so that they can develop their security strategies accordingly.
You can download the Kaspersky Telecoms Threats Report here.