The growing use of mobile devices for multifactor authentication has increasingly made telecom providers a juicy target for cybercrime. An ongoing SIM card-swapping campaign by a Chinese threat actor called “Scattered Spider” is just the latest example of that trend.
Scattered Spider is an APT group that researchers from CrowdStrike have been tracking for the past several months. The group has been targeting telecom companies and business-process outsourcing (BPO) firms that support these telecom companies with the objective of gaining access to their respective carrier networks.
SIM-Jacking Via the Carrier Network
In at least two instances where the threat actor gained that access, they used it to do SIM swapping, a process where an adversary essentially transfers another person’s phone number to their SIM card. Attackers can then use the hijacked phone number to access bank accounts or any other account where the legitimate user might have registered the phone as a second form of authentication. SIM jacking also gives attackers a way to register and associate rogue devices to accounts on compromised networks.
Bud Broomhead, CEO at Viakoo, says the wide use of mobile networks for multifactor authentication has painted a big target on telecom providers. “While there have always been efforts to breach telecom systems, the increased reliance on them for security has increased the frequency of attacks against them,” he says.
In the campaigns that CrowdStrike observed, Scattered Spider gained initial access to a targeted telecom or BPO network by impersonating IT personnel and convincing individuals working at these organizations to part with their credentials or to grant remote access to their computers. Once inside the target environment the threat actors moved laterally across it — often using legitimate tools such as Windows Management Instrumentation — until they gained access to the carrier network.
The group has targeted multiple telecom firms since at least June 2022 and has simply kept moving to different targets each time it gets booted from one, prompting CrowdStrike to describe the campaign as an “extremely persistent and brazen” threat. Recently, CrowdStrike observed Scattered Spider deploy a malicious kernel driver via a vulnerability exploit as part of its attack chain.
Adam Meyers, senior vice president of intelligence at CrowdStrike, says Scattered Spider’s campaign appears to be financially motivated and therefore different from the many attacks on carrier networks focused on cyber espionage.
“Based on what we have seen, they are focused on SIM swapping,” says Meyers. “When you have two factor-authentication and do a SIM swap, you can bypass that authentication.”
Crime v. Espionage
Campaigns like Scattered Spider represent a relatively new kind of attack on carrier networks. In recent years, many campaigns that targeted telecom companies have focused on some form of intelligence-gathering activity and have often involved advanced persistent threat groups from countries such as China, Iran, and Turkey, Meyers notes. The goal is usually to intercept communications and to harvest the detailed information available in call data records (CDRs), he says. CDRs can be very powerful for monitoring and tracking individuals, he says.
Back in 2019, Cybereason reported on one such campaign that it dubbed Operation Soft Cell, where a Chinese APT group infiltrated carrier networks belonging to a major telecommunication company to steal CDRs. The security vendor assessed at the time that the campaign had been active since at least 2012, giving the threat actor access to data that would have helped the government target politicians, foreign intelligence agencies, dissidents, law enforcement, and others.
In 2021, CrowdStrike reported on a multi-year campaign where a threat actor called Light Basin broke into at least 13 telecom networks worldwide and systematically stole Mobile Subscriber Identity (IMSI) data and call metadata on users. The threat actor installed tools on the carrier networks that allowed it to intercept calls and text messages, call information, and records for tracking and monitoring targeted individuals.
More recently, Bitdefender reported observing a Chinese threat actor targeting a telecom firm in the Middle East in a cyber-espionage campaign. “The attack carries the hallmarks of BackdoorDiplomacy, a known APT group with ties to China,” says Danny O’Neill, director of MDR operations at Bitdefender. The initial compromise used binaries vulnerable to side-loading techniques and likely involved an exploit of the ProxyShell vulnerability in Microsoft Exchange Server, he says.
“Once inside, the APT used multiple tools — some legit and some custom — and malware to spy, move laterally across the environment, and evade detection,” he says.
Catalysts for More Attacks?
Meyers and others expect that the proliferation of 5G networks and VoIP services in general in the coming years will make it easier for threat actors to execute these attacks on telecommunication companies. Newer telecom services such as 5G are susceptible to cyberattacks because everything — including the core networks — are software designed, O’Neill says. That means all the risks associated with software technologies will manifest on carrier networks as well, he says.
“There are going to be a greater number of cells, pico-cells, and micro-cells required to deliver the coverage given the much higher operating frequencies of 5G,” O’Neill points out. From an attacker’s perspective, this equates to more access and entry points, he says.
“The almost universal adoption of voice over IP technology has made pretty much every network a data network and blurred the lines between mediums,” says Mike Parkin, senior technical engineer at Vulcan Cyber. “It’s hard to separate old school voice telecommunication from today’s data networks,” he says.
Why Disruptive Cyberattacks Remain Rare
One notable aspect of attacks on carrier networks is that very few so far have involved attempts to cause widespread service outages or sabotage — a major concern with attacks on organizations in other critical infrastructure sectors. In its 2019 report, Cybereason in fact had noted how the attackers could have used their access on the telecom network to do pretty much anything they had wanted: “A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network.”
That is an assessment that Meyers shares about the Scattered Spider campaign as well.
One reason why disruptive cyberattacks on telecom infrastructure might not have happened so far is because they are really not necessary.
“The primary motivation for attacks on signal-carrying networks is espionage,” says John Bambenek, principal threat hunter at Netenrich. “Certainly, there are sabotage interests, but those are usually correlated to the proximity of physical conflict.” As an example, he points to Russian attacks on Ukraine’s telecom infrastructure at the beginning of the war.
Pulling off a disruptive cyberattack on a telecom network is often not needed because other, more straightforward options are available. “What we see many examples of is disruption due to physical means. Getting a little out of hand with a backhoe in the wrong place has disrupted communications for entire metropolitan areas,” he says.
The shift to VoIP means old school tactics such as DDoS attacks could soon become an effective way to disrupt a carrier network, adds Parkin. Even so, other methods are easier, he says.
“A crowbar can gain access to a wiring trunk, and a pair of bolt cutters can make short work of the cables inside,” Parkin says. “Taking out wireless communications takes more sophisticated equipment, but a couple of signal jammers could take down a surprisingly large area.”
Regs to the Rescue
Going forward, governments and regulatory bodies will have to take a more active role in ensuring the security of the telecom sector against cyberattacks. Parkin points to recent steps by the US, UK, and other governments to mitigate against perceived “high risk” vendors and equipment manufacturers that sit at the core of telco networks as an example of what’s needed in the future.
“Government influence in achieving end-to-end cybersecurity should focus foremost on governance and regulatory requirements,” O’Neill notes. “Existing policies and standards need to be developed and strengthened to incorporate new services like 5G.”
He fears that operators, if left unchecked, could default to focusing on availability and convenience at the expense of security.