Telcos are being targeted by sophisticated cyber crime groups in an attempt to emulate the recent “supply chain attacks” that have crippled large numbers of businesses. Business technology journalist, Antony Savvas warns that telcos must comply with minimum security mitigation rules, otherwise a legal deluge may follow any security breaches.
Supply chain attacks compromised Kaseya last month and SolarWinds last December, with them both providing operational software to managed service providers (MSPs). (Also see: Cybereason exposes Chinese threat actors compromising teleco providers for cyber espionage and The cybersecurity lessons from 2020.
Attackers infected the software distributed by these two companies who then, in turn, infected their managed service provider (MSP) customers. Those MSPs then infected their end business customers who saw their data breached and stolen.
Concerted efforts
Security researchers Cybereason Nocturnus have logged three different concerted efforts on compromising the networks of telcos, with the aim of getting at the sensitive data of their public sector, government and business customers the same modus operandi used to target both Kaseya and SolarWinds in those supply chain attacks.
Cybereason believes the attacks are the work of advanced persistent threat (APT) groups, with the first serious attempt at compromising telco networks going back to 2017.
It’s not uncommon for data to be stolen in a major attack and for the theft only to be discovered months or even years later.
Major attacks
One of the groups involved had apparently been previously getting through a backdoor opened to compromise Microsoft Exchange servers up until the first quarter of 2021.
Cybereason says that in each attack wave, the purpose of compromising telcos was to “facilitate cyber espionage” by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the domain controllers, web servers and Microsoft Exchange servers.
At this point, it is not known whether the attack groups were working independently or were all under the instruction of another central group.
Critical infrastructure
Andy Norton, European cyber risk officer at Internet of Things (IoT) security firm Armis, says, “The sensitive nature of the data telcos hold on their users is the main reason for them being categorised as critical infrastructure.
“To counteract the threat in the telecoms space, the UK, for instance, developed the Telecom Security Requirements (TSR) framework to help telcos comply with the impending Telecommunications (Security) Bill.”
If a UK telco is not able to repel a sustained attack, if it can demonstrate the measures it took to implement the requirements in TSR, as a measure of good data security governance, it has a better legal defence against any actions brought as a result of a data breach.
Other countries are developing a similar approach when it comes to network security, not least in the US.
Zero day
Many of the new wave of the cyber attacks are “zero day”, i.e. not previously known about, but that’s no excuse for not doing more to prepare for them. Hence the now increasing importance of zero trust network access (ZTNA)
In response to high-profile data breaches affecting both the US government and private companies, US president Joe Biden recently mandated all federal agencies to use ZTNA, and enterprises were expected to follow, otherwise they would face the music if a serious data breach occurred. Instead of just reacting to major incidents, Biden told government and enterprises to do more to prevent them.
ZTNA grants an organisation’s users the least access possible to systems while enabling legitimate system use to enable them to still do their jobs.
The approach allows organisations to draw a complete picture of who is accessing information from which devices. Identity-based segmented access for specific groups or individual users, and the rules around that access, has to be re-evaluated for risk constantly under ZTNA.
Identity-based segmentation is designed to dramatically limit lateral movement and reduce the attack surface for both front-end and back-end access.
If telcos want to protect themselves from accusations that they are not data breach ready, the adoption of ZTNA is a useful process in their tool box.
Being honest with the public
When it comes to communications roll-outs, communications service providers are expected to be honest with the public over the abilities of the service being sold and who can actually access the service. Such things are usually covered by market rules and consumer law.
It’s a shame that some governments think key communications roll-outs, that are often paid for by taxpayers’ money, are just an opportunity to give the impression they are doing something positive in return for a good media headline.
The UK government’s £5 billion (€5.9 billion) Project Gigabit is a case in point. It was sold to the public (using their money) as a way of making sure that every home and business would be able to access “Gigabit-capable” high-speed internet by 2025.
While the majority of the UK’s cities and major towns offer some Gigabit broadband services, large swathes of rural communities can still barely get on the internet. A key promise of Project Gigabit was to fill these gaps, by deploying full-fibre in “hard-to-reach” areas.
It isn’t the case that telcos can’t reach these areas, it’s because it’s economically expensive for them to do so. Which is why a government subsidy through Project Gigabit was seen as essential. Let’s face it, does anyone really think that any place in the middle of nowhere has a phone line because every telco acts like a charity?
But guess what? The UK government now admits that only 85% of UK homes and businesses will have access to high-speed internet by 2025 through Project Gigabit. I wonder which ones won’t? If I lived in the countryside I’d say send your answer on a postcard – it would be more reliable than the internet.
The author is Antony Savvas, a global freelance business technology journalist.
Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus
