beebright - stock.adobe.com

APT attack on telcos highlights need for comprehensive defence

A global cyber attack against multiple telecommunications firms underlines need for comprehensive approach to cyber defence, say researchers and industry commentators

Security researchers have uncovered a global cyber attack campaign that has compromised more than a dozen telecommunications companies, including mobile network operators, and exfiltrated large amounts of corporate and personal data.

According to researchers at US-Israeli cyber security firm Cybereason, the breach is of massive scale, with a potential impact exceeding hundreds of millions of consumers.

Data stolen from large telecommunications providers has the potential to be valuable to any country, they said, because it can be used to track the physical location of any customer, including foreign intelligence agents, politicians and law enforcement officers.

In 2018, the researchers identified an advanced persistent threat (APT) campaign targeting global telecommunications providers, carried out by a threat actor using tools and techniques commonly associated with the ​Chinese-affiliated threat actor APT10​.

“We’ve concluded with a high level of certainty that the threat actor is affiliated with China and is likely state sponsored,” the researchers said.

These bad actors still own the network today, and have built a virtual private network (VPN) for their convenience, the researchers found.

This multiwave attack, they said, was focused on obtaining data of specific, high-value targets, and resulted in a complete takeover of the network. 

Cybereason claimed the motive of the attackers was one of a military operation, and the individuals being targeted were foreign intelligence agents, politicians, law enforcement officials, opposition candidates in elections and senior business executives.

The threat actors, the researchers said, were able to steal all data stored in the Active Directory of targeted telcos, compromising every single username and password in the organisation, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geolocation of users, and more.

Attackers’ actions alarming

The researchers noted that the threat actors did not shut down the attack, even after their presence was exposed. The attackers simply introduced new tools and techniques to restore access to the data.

This is particularly alarming, the researchers said, because critical infrastructure relies on cellular or mobile communications networks.

The attackers can do whatever they want passively, but they could become active and shut the networks down, the researchers warned in a blog post.

Javvad Malik, security awareness advocate at KnowBe4, said that when it came to state-sponsored cyber espionage, many companies were not in a position to identify the threat and defend themselves.

“One of the main reasons for this is the overall outlook to risk. We see that many times, attackers won’t go after their target companies directly, rather they will try to target companies in the supply chain, which are less likely to think they have anything of importance to attackers,” he said.

“Often, attackers won’t go after their target companies directly, rather they will try to target companies in the supply chain, which are less likely to think they have anything of importance to attackers”
Javvad Malik, KnowBe4

“What we also find, is that these kind of sustained attacks are rarely done on one front, rather they rely on multiple attack avenues and techniques that cover technical, physical and human attacks. Therefore, companies should look to invest in defences across all avenues.

“This would include having comprehensive threat protection, detection and response capabilities – and equally investing in raising awareness and training staff so as to not fall victim to phishing or social media attacks,” he added.

Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said many large telcos struggled to maintain a decent level of cyber security due to tough competition and limited budgets, as well as the continuous increase of new hardware and infrastructure in their premises.

“Consequently, some don’t even have any form of up-to-date asset inventory, privilege segregation or internal security monitoring,” he said.

Given the volume of valuable data of their clients, Kolochenko said telcos were an attractive target for cyber criminals.

“The Cybereason report and its findings are unfortunately not surprising. A thorough investigation will likely detect a sophisticated and undetected intrusion into any virtually any large telco in the world. There is nothing their clients can do about this but presume that all communication channels are insecure and encrypt all their traffic,” he said.

The Cybereason researchers recommend that organisations likely to be targeted in this way by APT groups should:

  • Add a security layer for web servers, such as a web application firewall (WAF), to prevent trivial attacks on internet-facing web servers;
  • Expose as few systems or ports to the internet as possible and ensure that all web servers and web services that are exposed are patched;
  • Use an endpoint detection and response (EDR) tool to give visibility and immediate response capabilities when high-severity incidents are detected.

Read more about APT cyber attacks

 

Read more on Hackers and cybercrime prevention