The telecommunications industry plays a crucial role in keeping people connected and is considered a critical infrastructure in many countries due to the role of the sector in enabling so many facets of modern economies. Indeed, Infocomm is one of 11 Critical Information Infrastructure sectors identified by Singapore’s Cyber Security Agency.
The telecommunications sector is a persistently popular target for state-nexus and eCrime adversaries alike. In fact, the telecommunications industry topped the list of most frequently targeted industries, accounting for 23% of attributable interactive intrusions in the Asia Pacific and Japan region according to the CrowdStrike 2022 Falcon OverWatch Threat Hunting Report.
The motivations that attract different adversaries to the telecommunication sector are distinct. State-nexus adversaries most commonly seek information that could support espionage, infrastructure access, and access to customer data. On the other hand, eCrime adversaries recognize the criticality of the sector, and therefore the value of the data they hold for data extortion campaigns. While many eCrime campaigns are opportunistic, the industry is also a target for enterprise-focused Big Game Hunting (BGH) adversaries who deliberately pursue organizations with a low tolerance for disruption and a high capacity to pay.
Main threats affecting the telecommunication industry
Initial Access and Privilege Escalation via social engineering is a popular intrusion technique used against telecommunications organizations. CrowdStrike has observed adversaries leveraging phone calls, SMS and/or Telegram to impersonate IT staff. Adversaries then provide instructions for victims to navigate to a credential-harvesting website, or download remote administration software to grant the adversary access to remotely connect and control their system. In cases where multi-factor authentication (MFA) was enabled, the adversary would either engage the victim directly to convince them to share their one-time password (OTP), or indirectly by leveraging MFA push-notification fatigue. This is when an adversary continuously prompts MFA to the victim user until they accept the MFA push challenge.
Persistence is particularly crucial in state-nexus information collection campaigns. To achieve persistent access CrowdStrike has observed adversaries abuse the organization’s MFA console to add their own devices as an additional trusted MFA device. The devices would be assigned to compromised users for whom they had captured credentials. This technique, performed by taking advantage of user self-enrollment policies with the MFA provider, allows the adversary to maintain a deeper and less obvious level of persistence instead of simply installing a remote access trojan to maintain access.
Reconnaissance is a critical stage of most interactive intrusion campaigns, as adversaries attempt to orient themselves on a system and identify valuable data, access and assets. Adversaries have demonstrated operational proficiency across platforms including Windows, Linux, MacOS, and a variety of cloud-based services. They also access SharePoint and OneDrive environments for operational documents like VPN instructions, MFA enrollment information, “how to” guides, help desk instructions and new hire guides.
Examples of adversary activity against the telecommunications industry
SCATTERED SPIDER – this is the name given to an eCrime adversary group that has been tracked targeting organizations within the telecommunications and business process outsourcing (BPO) sectors with an end objective of gaining access to mobile carrier networks. They have been observed leveraging a combination of credential phishing and social engineering to capture one-time-password (OTP) codes or overwhelm targets using multi-factor authentication (MFA) notification fatigue tactics. Having obtained access, this adversary group avoids using unique malware, instead favoring a wide range of legitimate remote management tools to maintain persistent access.
DecisiveArchitect - otherwise known as Red Menshen - is an activity cluster observed targeting telecommunications providers across the Middle East and Asia using a custom backdoor tracked by CrowdStrike Intelligence as JustForFun, or BPFDoor.
DecisiveArchitect utilizes operational security (OPSEC) within its attack methodology – a security and risk management process that categorizes information, then determines the required steps to protect sensitive information and prevent it from getting into the hands of threat actors. OPSEC encourages IT managers to view a company’s operations from the perspective of a potential attacker, which makes it even more difficult for other organizations to identify the threat and investigate.
Final thoughts
Today, both eCrime adversaries and state-nexus actors continue to weaponize data. Organizations need to move from ‘trust but verify’ to ‘verify then trust’ — the only way to adequately defend networks is strong identity management and zero trust. The cybersecurity landscape will only continue to evolve, adversaries are relentless in their efforts to develop their tooling and tradecraft to evade detection.
We encourage all organizations to adopt a heightened security posture, especially when it comes to three critical areas of enterprise risk: endpoints and cloud workloads, identity and finally, data. Additionally, organizations should adopt cloud-native EDR, threat hunting capabilities and threat intelligence to provide comprehensive and proactive defense against both current and emerging threats.
