Cyber-attacks are continuously growing in size and breadth, targeting organizations of all sizes across sectors, and telecom sector is no exception. According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before. Telecoms providers need to arm themselves against this growing risk.
Telecoms companies, their core infrastructure and the large volumes of personal data they hold on subscribers, all represent an obvious target for malicious actors. Compared to other industries, telecoms companies are expected to be tech-savvy and often have a large consumer-facing footprint. This creates heightened reputational risks.
The telecommunications industry keeps the world connected. Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data. This makes them a top target for cyber-attack.
Telecommunications is a critical infrastructure and needs to be protected accordingly. The threat landscape shows that vulnerabilities exist on many levels: hardware, software and human, and that attacks can come from many directions. Telecoms providers need to start regarding security as a process – one that encompasses threat prediction, prevention, detection, response and investigation.
Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers.
Telecom providers will also have to deal with threats surfacing from IoT-enabled devices as they roll out 5G which will lead to a surge in usage of data.Cloud too is vulnerable to threats. While cloud has been in existence for more than a decade, not many enterprises have given much thought on how to ensure that they are secure.
The chances of cyber attacks trained at telecommunications satellite is also increasing with cyber criminals now becoming bolder and more equipped. A successful attack on telecommunications satellites can lead to unthinkable scenarios such as a massive disruption in communications, espionage, jamming and even commandeering satellites to collisions – to name a few. According to the Union of Concerned Scientists (UCS), there are 1,459 operating satellites orbiting the space, more than half of which are communications satellites. Of this number, around 38% operate for commercial communications and another 16% for government communications.
There are also supply chain risks. In August 2018 Australia made the call to block the Chinese telecom giants from supplying equipment to the nascent Australian 5G network. Mike Burgess, the director-general of the Australian Signals Directorate, said that the ban on Chinese telecom firms like Huawei Technologies and ZTE was in Australia’s national interest and would protect the country’s critical infrastructure.
Threats Directed at Telecoms Companies
Catastrophic attacks on a major mobile network operator by targeting its core. These include DDoS attacks, targeted attacks (APT campaigns), network device vulnerabilities and human-related threats like insider access, social engineering and the risk of allowing third parties to access information. Mobile network operators are not properly prepared for such attacks, and the core of 3G and 4G networks is generally not protected.
DDoS (distributed denial of service) attacks remain a serious threat to telecoms providers around the world as attackers discover ever more ways of boosting the power and scale of attacks.
Kaspersky Lab’s DDoS intelligence report for Q2, 2016 notes that websites in 70 countries were targeted with attacks. By far the most affected country was China, with South Korea and the US also among the leaders. 70.2% of all detected attacks were launched from Linux botnets, with cybercriminals paying close attention to financial institutions working with cryptocurrency. Another trend observed in Q2 was the use of vulnerable IoT devices in botnets to launch DDoS attacks.
Direct attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are affected. With a growing number of connected devices and systems supporting mission-critical applications in areas such as healthcare and transport, unexpected downtime could be life threatening. Further, DDoS attacks can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomware attack.
Advanced, international APT groups and nation-state attackers, have a powerful interest in obtaining access to the inner networks of telecommunication companies. This is because compromised network devices are harder to detect by security systems and they offer more ways to control internal operations than can be achieved through simple server/workstation infiltration.
The Regin APT campaign, discovered in 2014, remains one of the most sophisticated ever seen and has the ability to infiltrate GSM networks, while the Turla group, has developed the ability to hijack satellite-based Internet links as part of it’s Command & Control process, successfully obscuring its actual location. In many cases, attackers are exploiting new or under-protected vulnerabilities.
Internet routers – both routers used in the backbone of the Internet and end user (consumer) routers – have also been targets of cyber-attacks. Backbone routers process the data of multiple organisations simultaneously; in targeting these routers the hackers hope to compromise many organisations at once.
SYNful knock is a modified device firmware image with backdoor access that can replace the original operating system if the attacker has managed to obtain privileged access to the device or can physically connect to it.
In many cases, the hardware used by the telecommunications industry carries configuration interfaces that can be accessed openly via HTTP, SSH, FTP or telnet. This means that if the firewall is not configured correctly, the hardware in question becomes an easy target for unauthorized access. The risk presented by publicly exposed GTP/GRX (GPRS Tunneling Protocol/GPRS Roaming Exchange) ports on devices provides a good example of this.
Old international signaling standards
Telecoms companies face particular cyber security concerns as a result of their interconnected nature and the reliance upon international standards in their operations. For example, mobile telecommunications providers rely upon the Signalling System 7 (SS7) protocol, the standard by which telecoms companies interoperate globally to facilitate roaming and delivery of calls and texts. Many of these attacks present a unique challenge as protocols such as SS7 and BGP are defined by international standards and so require international cooperation to resolve the vulnerabilities.
SS7 dates back to the 1970s and has been found to contain vulnerabilities that allow calls, texts and location information on handsets to be spied upon knowing only a subscriber’s phone number. It also allows calls, texts and other content to be diverted away from a legitimate subscriber’s handset to that of an attacker. For example, these vulnerabilities have recently been exploited in Germany by hackers to drain bank accounts by intercepting two factor-authentication SMS messages.
Known issues with the BGP (Border Gateway Protocol), which is used by those routers to control routing of traffic on the internet, have been exploited to redirect traffic to bad actors. Acceptance and propagation of routing information coming from other peers can allow an attacker to implement man-in-the-middle (MITM) attacks or cause denial of service. Kaspersky recommends that companies provide network filtering, allowing only a limited number of authorized peers to connect to BGP services.
Sometimes insiders to the companies in the telecom industry are also lured or blackmailed into perpetrating cybercrime. Insiders from cellular service providers are recruited mainly to provide access to data, while staff working for Internet service providers are chosen to support network mapping and man-in-the-middle attacks.
Compromising subscribers with social engineering, phishing or malware.
Obtaining subscribers’ credentials has become attractive for hackers as consumers and businesses undertake ever more activity online and particularly on mobile. Further, Lower security levels on mobile devices make attacks even more attractive to criminals. Some of the these include malware for mobile devices, subscriber data harvesting, end-user device vulnerabilities, and more.
The number of mobile malware infections is on the rise, as is the sophistication and functionality of the malware. Social engineering and phishing remain popular activities and they continues to evolve and improve, targeting unaware or poorly aware subscribers and telecoms employees.
Recent research shows that the cryptography of 3G/4G USIM cards is no longer unbreakable. Successful attacks allow SIM card cloning, call spoofing and the interception of SMS.
USBs, modems and portable Wi-Fi routers may contain multiple vulnerabilities in their firmware and user interfaces. These include: Vulnerabilities in web interfaces designed to help consumers configure their devices. Vulnerabilities that result from insufficient authentication. RCE (Remote Code Execution) vulnerabilities based on different variants of embedded Linux that can enable firmware modification and even a complete remote compromise.
A comprehensive, multi-layered security solution is a key component of this, but it is not enough on its own. It needs to be complemented by collaboration, employee education and shared intelligence.
Mobile network operators today defend their networks using Gi firewalls and DDoS protection appliances. Further, telecom companies should religiously embrace cloud-enabled cyber security services, conduct real-time monitoring and extensively use threat intelligence tools.
To protect the organization from misconfiguration and network device vulnerability, Kaspersky Lab recommends that companies pay close attention to vulnerabilities in the network services of telecommunication equipment, establish effective vulnerability and configuration management processes, and regularly perform security assessments, including penetration testing for different types of attackers (a remote intruder, a subscriber, a contractor, etc.).
In 2018 the Network and Information Security Directive (NISD) as well as the General Data Protection Regulation (GDPR) will be implemented in the EU. The NISD, which is due to be implemented by May, will require operators of core “digital infrastructure” and certain “digital service providers” to ensure that their network and information systems meet minimum standards of cyber security.
The National Cyber Security Centre in the UK (which is part of GCHQ) has issued guidance2 for digital infrastructure providers that is expected to be enforced by Ofcom (the nominated sectoral regulator). NCSC has adopted a principles-based approach to cyber risk. The guidance requires a focus on four high level objectives, including managing risk, protecting against cyber-attacks, detecting attacks and minimising the impact of incidents. It sets 14 lower level principles to allow operators achieve these objectives. Much emphasis is placed on managing supply chain risk.
While much of the guidance is drawn from pre-existing industry best practice and existing NCSC advice, digital infrastructure providers will need to ensure and demonstrate that their cyber security practices are compliant by May 2018 or face substantial fines.