How and why the telecoms industry is coming under sustained attack [Q&A]
The trend towards digital transformation and the sudden shift to remote working has seen the telecommunications industry become a prime target for both criminal and state-sponsored attacks.
Threat intelligence specialist IntSights has produced a new report focusing on the threats to the telecoms industry and we spoke to Paul Prudhomme, cyber threat intelligence advisor at the company to find out more.
BN: Why is the telecoms sector seen as such an attractive target?
PP: As I highlighted in the report, the telecommunications industry is relevant to anybody who has an internet service, or phone service. Wherever you work you will often rely on your ISP to service users. So, this report is relevant to anybody that uses phone or internet services
Also protecting the telecom industry prompts a lot of discussion about third party risks in the wake of the SolarWinds attack. Think about the degree to which compromise of a telecom company can hit a very large and wide range of business and individual customers, even if as a businesses your security is very robust and you haven't been breached, your data could still fall into other hands indirectly.
BN: What are some of the main techniques used in these attacks?
PP: One of the most common is 'SIM swapping' this allows attackers to swap the SIM card number associated with your phone to the SIM card in the attackers phone. Then they can receive your traffic and specifically the two-factor authentication tokens that that many people will receive in the form of text messages.
The main application for this is to defeat two-factor authentication measures that protect things like online bank accounts, but also almost any other third-party that uses SMS based two-factor authentication. One of the best defenses against this type of SIM swapping issue is to use a mobile authenticator app. These apps from Symantec, Google, Microsoft and others will generate the two factor authentication token locally on your phone and thereby eliminate your dependence on the service provider. So, the same attack would be useless against it and, more broadly, it just reduces your reliance on SMS as sometimes messages can be slow or you may be in an area with poor mobile coverage.
BN: What's the motivation behind these attacks, is it purely financial?
PP: For SIM swapping in particular this is associated primarily with criminals and the target would be online banking accounts or other financial services, or could also be used to access an email account, that is used to control a number of other services.
This is a service that we can find being offered on underground forums. There are criminals who in fact specialize in serving as brokers with access to a network of malicious insiders. You can reach a telecom company by conventional technical means but that might be difficult, often it's easier to just recruit an insider to do that for you.
Brokerages will charge a flat rate per phone number, ranging from $120 to $400. By the standards of the underground criminal forums and marketplaces that's a fairly substantial price. Primarily this is for two-factor authentication and some sellers will charge a percentage of the proceeds gained from attacking online accounts.
But attackers are also interested in getting sensitive data points like dates of birth or, in the US at least, social security numbers that are important for identity. You can certainly get PII from other industries and telecommunications companies are just one other source that attackers want to go to. Even just the last four digits of a social security number can still be useful for fraud because it's the kind of data point customer service representatives at many companies will use to authenticate customers. Things like phone numbers, email addresses and so on can be merged with other data sources for a number of types of attack and also used as a target for malicious spam and phishing by email or SMS.
BN: What about state-sponsored attacks?
PP: With state-sponsored actors they may have particular customers of interest. So, for example, an intelligence agency in somewhere like Russia or China wants to listen to the phone calls or read the text messages of a particular person of interest to them, for whatever political, military or economic purpose, and they can do that by gaining access to telecom companies and collecting the information from there.
The Chinese state sponsored groups are one of the most prolific practitioners of these types of things. But you also get the Iranian government, for example, looking at people it considers a threat to bring some sort of a change in Iran. They would want to get into the US to monitor the traffic. They might also take an interest in any other non-Iranians, living in the US that have access to organizations that they're interested in, such as the government itself or defense contractors.
BN: Are these attacks something the industry needs to tackle or is there a need for more consumer awareness too?
PP: Certainly on the consumer side reducing your reliance on SMS based two-factor authentication. VPNs are also good for protecting your home internet traffic. And thinking about third party risks in general. As a business, for example, even if your security is perfectly robust it's understanding that anything that you send out to the beyond your own perimeter via a telecom ISP could certainly be compromised. Things like encrypting files or encrypting your email attachments offer protection to reduce the risk in the event that your data is exposed as it goes through networks.
Telecom companies do obviously do have a responsibility as well, keeping an eye on underground forums is a good source of intelligence for them to use. We cover this extensively at IntSights, looking at the malicious criminal offerings of dark web forums. They do mention telecom companies, often by name, so if you see somebody on the forums who's offering access to a malicious insider in your company who is engaged in SIM swapping texts that is certainly something that bears investigation.