Shifting from being a necessity to a lifeline, the telecommunications industry is now part of the beating heart for nationwide communications as the world navigates times of disruption and uncertainty. Unfortunately, this makes it a key target for cybercriminals wishing to profit from the information held by an array of businesses. Whether it be through financially driven criminal activity or high-powered state-sponsored attacks, the information being targeted has the potential to bring companies to their knees.
Over the last 8 months, 23 telecoms providers have been victims of attempted hacks by the group Mustang Panda, who’s aim is to steal sensitive data from compromised victims. Telecoms, by its very nature, is a gateway to a wide range of businesses and consumers, all of which are vulnerable to repercussions from a successful cyber attack – even if their own security is up to scratch. Looking beyond the financial gain, a successful attack could threaten businesses’ external internet traffic and damage customer relationships.
The channels being used to gain access
One of the primary methods used by cyber threat actors when targeting telecoms is SIM swapping – the act of swapping the SIM number associated with a phone to the SIM card in the attacker’s phone. This gives them access to the victim’s traffic, including the valuable two-factor authentication tokens that individuals receive in form of text messages. Two-factor authentication processes are used to protect highly sensitive information, including online banking and email accounts, however this isn’t the only data at risk. Access to these tokens can also give criminals admission to almost any other third-party that uses SMS based two-factor authentication. This access may come in the form of insider threats which are a key route taken by criminals to conduct SIM swapping attacks. Malicious employees, who take advantage of their access to sensitive company information can directly reassign phone numbers to the attacker’s SIM card. All SMS-based two-factor authentication codes can then be sent to the attacker rather than the victim.
Web shells and remote desktop provider (RDP) solutions are also common ways for criminals to acquire and transfer unauthorised network access to telecoms providers. For example, in October 2020, research uncovered that username “true-knight” offered to sell RDP access to the network of a US telecommunications provider for 0.5 bitcoins, the equivalent of approximately $6,500 at the time.
Collecting and exploiting personally identifiable information
Whilst financial data is a popular target, criminals can use personally identifiable information (PII) for a range of fraudulent purposes. Attackers are interested in acquiring sensitive data points relating to identity, including dates of birth and social security numbers. Once criminals have gained access to VPNs and other services, personal information can be sold in criminal forums to be exploited in fraud and targeted cyber attacks.
For example, research into criminal forums in December 2020, uncovered the activity of username “x_04x”, who was auctioning off administrative and VPN accesses to a telecoms provider in Jordon and Saudi Arabia. The VPN accesses would also enable further entry to other remote services, such as SSH, FTP and Citrix. With a starting bid price of $2,000 and a ‘buy now’ price of $3,000, the monetary gain is evident.
Gaining access to personal contact details and credentials is often just the first step. Attackers can also contact victims via their now-exposed phone numbers or email addresses and use those other PII details to give themselves credibility as fake customer service representatives.
Upscaling to a national motivation
In contrast to independent cyber criminals, state-sponsored threat actors often seek access to telecommunications service providers by way of collecting signals intelligence (SIGINT) on their customers, in the form of phones and internet traffic. If a foreign intelligence agency wishes to listen in on phone calls or gain access to text messages of a particular person of interest, telecoms become the ideal gateway to the relevant information.
Using the acquired information, these groups can either monitor ongoing communications between people of interest, target victims through social engineering attacks to install malware on their devices or contact targets directly for potential recruitment as human intelligence (HUMINT) sources. Government intelligence agencies can also absorb bulk PII into searchable databases for future queries for a variety of purposes, such as background checks and screenings of visa applicants and foreign travellers.
The headline hitting SolarWinds supply chain breaches, uncovered in December 2020, raised the prospect of widespread compromises within the US telecoms industry, as all the top 10 US telecommunications providers were SolarWinds customers. The National Telecommunications and Information Administration, which is part of the US Department of Commerce, was one of the federal government victims of this supply chain attack. Its compromise could imply more specific interest in the targeting of the US telecommunications industry.
Remove the opportunity, alleviate the risk
For individual businesses and employees, one of the best defences against SIM swapping attempts is to use a mobile authenticator app. These apps will generate the two-factor authentication token locally on a phone and thereby eliminate dependence on the service provider, which is more vulnerable to attack. Other precautions, such as end-to-end encryption, can mitigate the risks of exposure to state-sponsored SIGINT collection via compromised internet service providers.
Insider threat programmes are a crucial way of monitoring for, and stopping, malicious insiders. Companies should implement strategies to identify vulnerabilities that could jeopardise the security of sensitive information. By minimising the access given to certain stores of data, businesses can detect and prevent insider attacks.
There are also many precautions that can be taken by telecoms organisations to protect both their own sensitive information, as well as that of their customers. Alongside advanced threat detection, companies should prioritise threat intelligence coverage of state-sponsored cyber espionage since the attacks of foreign intelligence services are more challenging for security teams to detect.
On top of internal preparations, external threat intelligence can also help security teams identify and validate emerging cyber threats targeting their organisations before they evolve into attacks. This proactive threat detection enables teams to react faster to threats and take measures necessary to ensure the security of their organisation’s network and digital assets.
Ongoing monitoring of underground forums is one way that telecoms can detect potential threats early, as criminals quite often mention companies by name. This would allow them to investigate and uncover insider threats before any harmful action can be taken. Telecoms providers can benefit from a comprehensive external threat intelligence solution, equipping them with the necessary tools to face the wave of rapidly evolving cyber attacks that threaten their employees, end users, partners, and overall reputation.
Telecommunications is not an industry that can afford to take cybersecurity lightly. With the responsibility of protecting not only their own data but that of their customers, organisations must show dedication towards the deployment of necessary protections as they continue to face persistent threats.