Politically Motivated Cyberattacks on Mobile Infrastructure: Nation-State Threats to Telecom Networks

hello everyone so um uh um my name is Imran and probably I'm going to give some insights on uh things that are happening in Mobile infrastructure so I think uh usually people talk about uh more or less you know threats that are originated or you know kind of focused on Enterprise but I think based on what we have been looking in in the Telecom signaling we see a lot of massive activities that are that are supported by nation-state groups and the purpose of the talk today is just to give you some insights and how we capture them what were their objectives you know and you know how we were able to detect all these activities

uh so just quickly giving my introduction um again as usual you know I'm just a person like you doing research trying to bring out um activities that are interesting and uh kind of looking into uh new attacks and then reporting it to the relevant groups and making sure that the community get gets uh most out uh gets uh benefits out of our research so um the last talk I have been engaged in was black hat Asia and I gave the same theme it was interesting there were a lot of questions there mostly on you know how we were able to detect all these nation state activities um I'm also a member of panel of expert

at gsma and our research has been acknowledged at various platforms so just giving a brief agenda uh you know what are we going to speak today and uh things that we are going to cover in the talk today uh it's more on what are the interconnect and the threats around it uh how do we classify attacker groups in mobile networks we know people around in Enterprise there is no difference um on on the attackers analogy here so you will basically know a lot of things are pretty much similar there are interesting insights on U.S withdrawal from Afghanistan and I wanted to precisely mention you know we were able to capture uh some bits of interesting information there

we were also able to capture intelligence around Ukraine Russian conflict and uh probably going to walk you through in a while and then the financial impact I think operators basically care about financial losses you know and um again you know uh it's not necessarily that uh the objective of the attacks are only targeting specific set of people it can basically expand beyond that and in in certain cases it can incur losses towards operators and again some general recommendations so uh quickly moving forward you know um so I think there are different areas in Mobile operators you know where you can actually start your activities but the focus of the talk today is more or less

on the interconnect side which is marked here in red and most of the threads that we actually see in mobile networks are either either coming from the interconnects or you know either they are coming from the radio interfaces but the radio side is not covered in the talk today it's mostly on the interconnect side uh so so um so there are two aspects uh the The Operators usually focus on the fraud and the security and you know they actually go hand in hand and there is a very thin line between fraud and security for mobile operators so um I mean on the on the top left you would see uh these are the attributes that are more focused on fraud so which

means there's missing spamming spoofing uh you know there are certain activities a to P grade routes which is basically way one way of you know incurring losses towards operators and if you go on the on the right bottom side so this is where you know your actual attacks happen and you know uh the attackers are more focused on doing surveillance um you know kind of doing interception and there are certain tons of other activities uh in in the past our organization was engaged with um you know some International organizations uh in order to locate the activities from Pegasus and Tech Lab and all those activities were ex you know started all the way from the signaling Network

so we have a very good Insight how those activities started and you know uh what were their objectives so so it's not like mobile network security uh does not have any you know security controls in place there are a lot of security guidelines you know being governed by gsma Authority people like us when we find research we've when we find vulnerabilities we kind of you know do a contributions to what the security guidelines so it is available for The Operators but again that's not uh you know an absolute Maya to to judge your security posture so there are security controls but I think you know these are also accessible to attackers and X I'm going to explain

how these documents are also available to the attacker groups so just a brief on on the interconnect architecture so for the people I know uh probably coming from the Enterprise background so the the interconnect which is basically one way to establish communication between operators is where the attacks usually happen so you know if this is a home network which is basically in UK you might expect an attack coming from either you know another country um so all these kind of signaling that happens when we are roaming or we are in the country uh you know that can precisely be used to perform a lot of a lot of attributions on the subscriber so what hacker can do attackers or hackers

can do is they basically they can inject malicious messages into signaling and they can you know perform certain types of activities yeah so just going back on on on what we are trying to achieve today so uh the Basic Talk was basic to you know give you an Intelligence on what we captured but before going forward you know just wanted to give you uh what we actually do we are as you know a company who provides Security Solutions to operators and out of 10 you know nine operators have our Solutions deployed so we have a very good visibility across mobile networks and that gives us unique uh you know advantage of looking into malicious signaling uh the purpose is not to uh

you know the only purpose is to identify malicious actors so we are not harvesting information but we are looking for uh you know malicious activities and the objective here is to categorize and understand the analogies of attackers so looking back into how these attacker groups originate their activities they we wanted to give you an Insight on the the the expertise they have and I can just give you a glimpse of that they have all sorts of understanding on how signaling works they have their own stack uh they are quite connected so which means that they work in groups and they are they work in clusters and they also have access to all these security guidelines that you have seen

previously in the previous slides they understand uh you know what are their needs and objectives and they also understand that operators are not doing enough and they are not looking for unknowns so the the understanding for them is operators work by book so if you have certain Securities policies in place they don't go above and beyond so that gives them you know a unique advantage and they exploit them very well so so what we have captured here is uh you know trying to categorize all these group of actors that we have seen in past uh starting from script kitties um uh based on what we have seen their their Stacks are broken so which means that they are their

messages are usually malformed so it's quite easy to detect them gray rot operators again they are more focused on on fraud which means that they want to terminate uh you know sms's towards operator and incur revenue losses to them surveillance companies and this is one of the very important areas for operators they don't want their subscribers to be uh attract and there are companies in place which basically perform surveillances uh on behalf of either you know companies who request them to do it um so they are I mean based on their attributes what we can with what we have seen here is um you know they have a very strong footprint which means that they work in

in different parts of the of the world so they are not really focused by originating messages from one region so that's why they work in clusters and um and they have a very strong understanding uh on the signaling side

State actors they work hand in hand with surveillance companies so sometimes they establish a kind of you know communication along with them and they can also engage criminal service organizations but before going towards that actor group State actors and the theme of The Talk today is to establish you know how these groups are operating um so the state actors are more standard uh they know their objectives but they actually coordinate with criminal service organization then surveillance companies um so the the criminal service organizations they're focused and their the entire um you know criteria is actually uh to perform uh account takeovers um so now this can be an account takeover for the bank account it can be

a social media account takeover um it can basically be any account that is crucial for the customer because it happens based on need and demands and again usually people do not understand there are audit companies as well so when we are doing uh you know a validation on the global signaling there are patterns which tends to be very similar to the attackers and sometimes operator tends to consider them attackers as well uh but they are audit companies who also perform them um so they are the good guys and then the Dos agents um we have been seeing an increase in DOS agents and they are basically able to bring down Network elements so I'm I'm not surprised all these groups types

of groups must be operating in the Enterprise world as well so uh The Operators usually think you know that their role is to just Place firewalls and make sure that you know they're they're updated uh and they consider whoever their partner is that's a trusted entity uh but I think you know that's a false assumption um and that's why I kind of written here in your trust is not a cyber security strategy for the operator it does so um uh so I think yeah just this is just to give an Insight on what have been captured previously and if you have to look into the historical Outlook activities in past so these activities are focused on the Enterprise

and we can clearly see there are certain groups who were engaged in past targeting financial institutions targeting you know countries for a reason so so uh nation state as as a phenomena did exist in past it happened it is happening and is going to continue so and you can clearly see here Russian State activity in 2007 Russian State activity in 2008 again Russian State activity 2017. so uh so I think the objective here is the same applies to the telecommunication Network because the the infrastructure is quite massive these services are quite dependent on the Telecom infrastructure so if you are able to bring down part of that you're actually going to lose a lot of

a lot of services a lot of Revenue a loss to subscriber confidence subscriber the confidence of subscriber is lost so one of the examples that I just wanted to it just came into my mind was during the initial time of the conflict between Ukraine and Russia they were fake operators tends to or you know tends to come up at the borders so the reason for that was to to make sure that the subscribers were able to latch on those networks although they were fake but you know their services was legit so the understanding was to make sure they use that infrastructure and intercept a lot of communication that was happening on the borders because border areas are usually very fragile

for operators due to several reasons because of the network coverage it can be basically due to several reasons you know that is a gray area for operators so these operators tends to establish their footprint at the borders and then you know they operate for some time few months and you know just uh it's just uh you know kind of dismantle their their setup and you know move away from there so so we just wanted to give you uh a kind of a brief on whatever activities happens in a specific region the reflection of that activities are available on mobile infrastructure so if you have the right spot to find out the activities you will be able to locate

what has been happening and this is what happened during the U.S withdrawal from Afghanistan and there is this is a very interesting uh bit of information here because what we have noticed during the time of uh analysis we see all these political events that were happening were directly relating and being seen on the mobile network infrastructure so just starting from you know you know some bit of historical out historical outlook here so in 2020 February 2020 you know Trump Striker deal with Taliban you know they just wanted to get out of that specific region and and the deadline for that was May 2021 and this was basically endorsed by Biden so when Biden took took the

administration uh their their team actually extended that to September the same year so if we are to look into that specific time when all this was happening there were certain activities that we were able to capture now this is attacks focused on Afghanistan these are attacks focused on subscribers Afghanistan these are attacks focused on subscribers who are roaming in Afghanistan and clearly we can see here starting September 2020 up till February 2021 this is the time when Trump Administration you know sign a deal there was no activities that were targeting Afghanistan so the reason probably the area was not of Interest and immediately after that we clearly see the spikes and in the next few slides I'm going to

walk you through what type of activities that relates to and by the end of the year we can see this is when the exit was supposed to be and we see at the late year the activity was fading away now these the threat actors the the actors who were behind all these activities we knew about them already we knew they had links which state at State nation states and they were supported by some other sources um and they were clustered so so what were their objectives and targets we knew they were targeting the country we knew there is a specific need and objective so the primary target was that specific country and then the secondary targets were

rumors or the subscribers who were in Afghanistan they were also being targeted based on our intelligence we see the potential victim organizations were news and media Outlets ngos and government institutions and the motives and objectives were [Music] um MZ Gathering now I'm not sure if people uh around here the MZ is an identifier that is in unique and in every subscriber is being allocated in MZ when you have a SIM inserted in your phone so the entire idea was to capture themesy now MC is not known to subscriber you know your mobile number but you don't know your MZ unless and until you kind of use a special code on your on your phone and be able to kind

of extract that once you have that teams in place you're able to perform a lot of other attacks like call interception SMS interception account takeovers so supported by that was location tracking and surveillance um and at at some instances we were able to see they were doing interception at Radio level so which means that if you have heard about MZ catchers or the jamming devices you know they are placed in a small vicinity of the victim and you know using that you know area they were basically doing interception at the radio level so which means that it was coordinated there was somebody available on on ground helping those actors execute the entire operation and the threat the threat indicators

were actually trying you know they were clubbed with the bypass techniques in order to make sure that you know they they meet their objectives so so this is the level of intelligence that we are were able to capture during a specific uh you know set of activities again all these activities that happen in a specific region usually have uh you know is is usually reflected all the way uh on the mobile networks again because mobile networks are one way uh you know to execute your operation but it's not the only way so so the question here is uh does political you know shift in the region can drive cyber attacks even if you know there is no political

shift set of events in that region can also Drive cyber attacks and you know one of the examples were very good examples was uh you know this this specific event when when the U.S troops were you know exiting that specific region so is Ukraine and Russian conflict different than what we have seen in in the few past few slides and this is set of timelines I know this is not very clear but all these timelines are captured from europol so it's not something created by my by by me but this is set off at all the type of attacks that we have seen captured and logged onto europol website and the ones highlighted here are the ones which

were more focused on Telecom infrastructure now starting from denial of service bringing down an ISP bgp prefix hijacking um some other types of attacks they were all focused on Telecom infrastructure and they knew if they are able to bring that down they are actually going to cut the communication so uh so what is interesting in that so all these attacks that we have seen were focused on one country and why is that because all these activities were not only originated by one group it was coordinated and they were quite consistent and I think one of the reason that we have seen they have been sharing intelligence uh within uh their groups as well so that brings to the next light

so this is this is an understanding on the Russian activities that we have seen in the past so if you are to go back in 2020 2021 we see very low activities from the group but there was a sudden increase since the conflict started so you can see there is a massive increase of 250 times comparing to what was actually there in 2020 2021 now all these activities that we saw were supported by pass and the key fact about all those activities that we saw and notice they were using fuzzing techniques so which means it was quite obvious for them and they wanted to see how the networks were responding and how vulnerable networks were because

fuzzing is the best way to understand the network behavior and this is what they were trying to do and they were actually successful um to an extent so and again this these are real examples that we captured and we can clearly see here the large amount of you know activities that we have seen they were targeting not only specific region or a country that was actually beyond that so which means Ukraine was not the only country they were targeting other NATO countries as well the attack intensity was quite High and um the coverage was also uh you know it was an extreme for them the the state actors they are still active and they were also targeting

inbound roamers so inbound rumors are or are set of people who are roaming in a different country and for mobile operators if their subscribers are roaming in a different country they are unable to secure them so that makes them more vulnerable so they knew they are roaming they were trying to uh use that opportunity and then actually execute the executed the attack so their activities for zero day we were able to capture them and the objectives were identity impersonation identity spoofing and they were using fuzzing and in the entire activity that we captured at that specific instance they were targeting around 60 plus countries and uh yeah so these are the set of attacks involved

that we were able to capture starting from networks Discovery they were mapping um and scanning Networks again MZ extraction and profile extraction so if we are able to extract a subscriber profile from an operator through using uh malicious execution or the code your you actually have the entire data set required for that specific subscriber that gives you all the information how your profile is configured you know if there are any services that are linked to your profile that gives an upper hand to the attacker to design uh their next set of attacks so profile extraction was one of them there was a high increase of location tracking um and again I think this is this is what

uh you know is the focus even the The Operators these days they don't want this activity such activities to happen because location tracking does seems to be simple but it actually is a violation in in so many other regulatory uh like gdpr you know one of the examples is they want to make sure that no information of a subscriber is available uh to any operator legitly so hostile registrations uh one of them is is classified as which means that you're able to intercept the communication now this can basically be on the radio level it can be on on on the SMS where you are actually able to intercept the two-factor authentication code and at some instances they were also

engaged in financial fraud as well so all these activities were established and detected by this specific group operating in Russia and again their target nations were not Ukraine and NATO countries but then it expanded towards Middle East and Africa so our recent uh Discovery was on Tech Lab if you have heard about Tech Lab uh I think this is a European set of group that were focused on doing surveillance using mobile infrastructure they were able to actually get out from that situation and they were when noticed they were immediately brought down by the authorities so this was an extension of Pegasus NSO but again they knew how to used mobile infrastructure and they're quite successful in that

so this is a set of you know evidence that we're able to capture I know this might be something uh but uh so these are all scan attempts and when we see and we if we if we are to notice some odd behavior here these are all sequential numbers that belongs to a network or Networks now if we are doing scanning this basically gives the attacker and an idea you know how the network networks are behaving and then they can design their subsequent attacks and these scannings were quite incremental so we can see here these are all the identifiers scanning identifiers that are in incremental and they were targeting a lot of countries around 60 odd

countries and this is just one of the example set that we have seen so all these activities that happens starts from a scan and some of them are not really an outcome for outcome of an escape of a scan but most of them are usually started through a scanning process so um like you know we discussed earlier they were focused on identity impersonation and this is one of the examples now this is an example of an account takeover or by this group and uh if we are to see here this was an attempt on performing a hostile registration and this is where this group actually were able to intercept the two-factor authentication code now this authentication code can belong

to any service not necessarily this service it can be your bank account it can be your social media account we have seen WhatsApp telegram Facebook Gmail Microsoft Microsoft Cloud so many other I can't recall all of them but we have seen all of these accounts being taken over this is one of the accounts and the reason for putting this is was unique this is a Voiceover IP account takeover which means usually people tends to answer calls for when they see known numbers so if somebody is using a Voiceover IP application uh you know they have registered their CLI which is basically your mobile number to that application and when when they when they are using the Voiceover IP

application what you see is the name coming up on their on your phone so you don't really hesitate and start speaking immediately without knowing that you might be able to reveal a lot of information so this is a Voiceover IP application account takeover and and the interesting thing here is um you know this account does not really require an email address so which means it made pretty much easier for the attacker because in that specific sense he had to actually compromise the email as well so the only thing he need is your mobile number so which is obviously very easy to get so once he knew the mobile number he actually started the recovery of that

account and he was able to actually get that using the signaling malicious signaling and clearly we can see the two-factor authentication code was sent to the attacker and once he has this code in place he can actually use that and call anyone and and in this specific case he can use your contacts in order to uh you know execute whatever uh the objectives are this is identity spoofing case and again this was actually captured um from from the same group and if we are to see here they were using identities from Afghanistan they were using identities from UAE these are spoof identities and when we actually went back in order to trace all these activities

we were able to locate the origin of these attackers which were pointing towards Russian operator so which means the physical links through which all these activities happen were pointing towards operators in in Russia so again all these spoofing attempts who are actually you uh there for a reason and they wanted to stop make sure that using these spoofing methodologies they can you know trick operators considering that this is a legit service because it's not that easy to find out the actual origin unless and until you are partnering with some of the carriers who tends to route your network traffic so and I think that's one of the one of the main points that basically backs our

statement that these groups who were operating were supported by uh you know a nation and that was the main idea you know that these people who are conducting all these attacks they also have an objective but they also have support so so this is an example uh of a zero day activity that we saw earlier and normally what happens is uh you know there are the signaling between the operators this is quite standard in nature so you don't really change bits and bytes and um you know in that signaling but in this specific case this activity was captured uh as an outcome of fuzzing and normally you know a specific attribute in a signaling has specific length

but in this specific case what they did was they started you know um kind of you know um adding extra bytes to towards an attribute in and making sure that by adding an extra byte in an attribute they were they're trying to see if the networks are able to respond to that specific messages and they were if they were quite successful so which means operators were not really ready to uh or their firewalls or their policies were not really focused on uh handling the fuzzing techniques and this was one of the zero day that we found so this was an extension to an extra byte towards towards an attribute again this is an this is another

attribute in a signaling and this specific case the standard attribute length is 4 bytes but then when we started looking into that the extended that attribute from four bytes to eight bytes and they were able to succeed and again that basically gives them an idea that operators software Stacks or their decoding Stacks are not really equipped to handle such type of fuzzing the interesting aspect here is this message type so this is send authentication info now just a background this message type is used to perform hostile registration hostile registration so which means that if an attacker sends this message with a malicious attribute this one a transaction ID with 8 bytes operators are actually going to if they

are not able to detect that they're going to process that message and what will happen in in in result your MZ being used by attacker who is in Russia but your sim is in UK you are in UK and he performs an activity on your sim using this indicator this message type and registers you in Russia now what happens all your communication starts to redirect towards that Russian source without you knowing that your your account or your services are going to basically be disrupted in this in this specific case so so this is one of the examples this was again a zero day exploit and we captured that as well and what happened uh you know as a result of

all that we were able to disclose that to the gsma and it was basically um so a CVT was built as a result for that there was a briefing paper for the operators for for the people who don't know what is jsma it's a body who brings down a lot of operators on one table so which means that they are around 900 operators in the world around 700 are part of gsma so if you are disclosing such vulnerabilities uh you know that gives operators a good sight of invisibility you know how they can tackle all that um you know a malicious activities so CVT was in place and it was it was released very recently

so okay sorry uh so the financial impact here so there is a financial impact as well so it's not only about you know surveillance and you know taking account uh account takeovers and stuff that basically is private to a subscriber they can also uh you know incur losses towards operators so in this specific case we found another zero day activity somewhere in April 2021 we reported that to the gsma and luckily um and and this was the cvd ID and luckily an operator actually uh experienced the same vulnerability executed in their Network and what happened it actually lost around 50k in 12 days 50k USD in 12 days so it was good for us that our

vulnerability was acknowledged but we don't know the full impact you know this can basically be because of several reasons I mean sometimes operators does not have the visibility to detect that and sometimes they lack interest they don't want to report such activities so there is a financial impact to all these uh you know zero day exploits so when we reported that to the operators you know nobody actually believed that such activities you know existed but you know the the ones that we see in the previous slide was an evidence that this might uh incur losses towards them and again we reported that the briefing paper was established and then it was um you know shared Among The Operators

so uh quickly moving forward on the disclosures so why we are doing that there is a lot of efforts that is re that takes place um our team usually works you know around precisely I don't they don't work really you know but there is a a lot of efforts that requires to detect all these activities so and our objective is to to make sure that we we give this back to the security community and the whole idea of bringing those CBDs here is to make sure that operator gets the the the the most out of it um one of the and this is the last Light and probably wanted to uh you know share some

um share some gaps here what we have established so far is the operators they they don't really you know take remedial steps here so which means that they don't really share intelligence among them unlike Enterprise Network Enterprise you know they have Intel sharing Frameworks like Citrix and Taxi we try to do that but the operators are quite reluctant in accepting that so which means that if something happens to one operator it stays within them it's not shared to other and that basically gives an advantage to attackers because they know that has been not been communicated to them or you know it's an isolated event for an operator and they can use it for their advantage

and we have also seen that when we speak some with some of the operators they haven't considered uh you know implementing you know cyber safety strategy in handling cyber conflicts into their security strategy so they have considered resilience they have considered other factors into in their security strategy but handling cyber conflicts was not considered as part of their long-term strategy and and I think the last few points again when we see operators when we speak to them the only thing for them is all the security guidelines that are available by by the gsma they consider that's more than enough for them to actually be safe but this is not an absolute mayor yeah and and I think the last is is just you

know we need the operators to enable themselves with the global threat intelligence mindset which I think they don't really focus on um that brings uh the end of the month my talk I I hope uh you know if there are any questions I'm able to answer them [Applause]

but that brings the question this is important because every person in this room is probably using a cell phone right so it's important to take a step in front of the bad guys doing this talk so the question is how can we this type of research or learn uh stuff internet what is that for us

yeah so so there are two that few aspects here right so ss7 or the Telecom infrastructure is quite close so which means that it works on trust relationship so you just you can't just you know go on on a cloud or a public network and start doing your stuff you know that doesn't work like that in in the Telecom infrastructure unless and until you are part of that ecosystem you can't do any activities and for that there is uh there is a word called GT leasing so which means that operators are leasing out their identities towards a group of company to perform a certain task now if it's you doing that you can say you know you're using for a

different purpose which is ethical hacking but but this not this is not the case all these activities that are happening is happen because of GT leasing so which means that operators for their revenues they shared their identities to a group of companies who they don't know how they're going to use that so that's the whole concept here and that's why the industry Industries you know kind of bringing out a framework to monitor that so ethical hacking can happen but it is subject to an agreement and you be part of that ecosystem

oh yeah

yeah so these vulnerabilities are basically focused on an um for a mobile infrastructure which means operators who are running services for the subscribers like like Vodafone or let's say BT or you know virgin O2 so they have a specific a specific set of verticals right if they have an ss7 Network or they have a 3G network or a 4G network and if the vulnerability is reported it is their responsibility to mitigate that on their on their Network elements and if they don't do that then this basically opens a lot of uh you know risk for them so this vulnerability is focused towards mobile operators and with the mindset if it is 3G then they have to work on the 3G network and if

it's 4G then it's 4G network

thank you [Applause]