As integral enablers of a digitalised society, the telco sector faces a unique blend of threats. For example, state-sponsored threats are extremely prevalent, with hostile nations deploying telco-specific malware and carrying out disruptive campaigns to support military operations – as has been seen recently in Ukraine.
Cyber-criminal ransomware threats are also commonplace, while changing regulations around network equipment and the evolving nature of the physical and cyber threat to both subsea and space communications are providing further challenges for today’s telcos and CSPs.
State-sponsored threats
In our tracking of state-sponsored threat activity, the telco sector has historically been the second-most targeted after government. In our most recent statistics, telco has dropped to third place (after academia) but the sector clearly remains a high priority for state-sponsored threat groups with the advanced techniques and lengthy timescales for attack execution.
The above images shows the geographical spread of suspected telco victims and targets in our tracking since January 2022, which follows similar patterns to previous research conducted in 2019 and 2021. One trend to note is that the concentration of targeted telcos in the APAC region is a strong and repeated pattern.
Attributing a single motivation to any group's targeting of a particular telco is often very difficult without incident response-level forensic data to understand what actions were taken on the compromised network, which systems and data were targeted, and what was stolen (if any). There are likely a range of motivations involved, including economic espionage (acquisition of Intellectual property), espionage against organisations using certain ISPs, and espionage against individual targets (including journalists, security researchers or even political dissidents).
There is also significant concern at present around the possibility of a state-sponsored group ‘pre-positioning’ itself on strategic networks with a view to conducting disruptive activity at a later time – such as in the event of future war or conflict.
Furthermore, a growing number of state-sponsored groups are linked to the use of covert networks as part of their operational infrastructure, which are formed mainly from compromised SOHO (small office/home office) devices. These covert networks are used for a range of reconnaissance and scanning activities. While the bulk of this traffic is aimed at government targets, telcos will also receive inbound traffic from covert networks related to potential reconnaissance or exploitation, which could include attempted exploitation of vulnerabilities in network edge devices.
Criminal and hacktivist threats
In terms of criminal cyber activity, ransomware and extortion remain pressing concerns for organisations globally, regardless of sector. However, while telcos are the third-most targeted sector for state-sponsored actors, the sector ranks much lower in ransomware/extortion statistics. Telcos account for less than 2% of ransomware and extortion victims in our tracking, placing it outside the top 10 sectors in this data.
This disparity likely reflects a range of factors:
- Telcos are far less numerous than organisations from other sectors (e.g. manufacturing and retail) and ransomware activity is generally thought to be opportunistic
- The difference between state-sponsored and ransomware victims in the telco sector emphasises the special interests of government-backed actors in compromising telcos
- The potential risks for a criminal operator in conducting ransomware attacks against telcos may be putting them off, as a catastrophic loss of service availability could lead to significant attention and 'blowback' on the cyber-criminals responsible
Then there are hacktivist groups, which have mutated since the time of the “classic” Anonymous group. Along with online hacktivist protest groups, the threat has also mutated offline with threats to physical infrastructure.
For example, some extremists – such as ‘Accelerationist’ groups – have planned to attack telecommunications infrastructure to disrupt government and societal functions. In addition, conspiratorial groups have targeted telco infrastructure due to belief in the propagation of novel viruses or their role in “health risks” or “government control” (especially attacking 5G masts).
Moving back online, a niche cyber risk is from commercial cyber intrusion capability providers in the form of “Mercenary Spyware”. These groups are irresponsible companies offering spyware, often of nation-state level capability, for profit. Telcos represent a high pay-off target for such organisations. For example, mobile telephone SS7 protocols have been abused by non-state surveillance companies in order to collect information on journalists, dissidents, or protestors.
National regulation issues
In addition to the changing threat landscape, telcos and CSPs must also manage the evolving regulatory landscape. For example, the UK’s Telecommunications Security Act 2021 is now in effect. This requires bodies to understand their own status (related to size, or significance/criticality in a supply chain). They must then accept security duties to deploy and enhance security controls in key suppliers, taking proactive risk measures in response to security compromises.
The Telecommunications Security Code of Practice has 258 lines of technical guidance which cover operational issues such as network management, monitoring and analysis, and supply chain. Providers of telecommunications services have to prove to OFCOM (the regulator) that they are achieving the intent of the regulation, rather than follow precise rules.
Similar rules apply within the European Union, under its Network and Information Security Directive 2 (NIS2). In addition to fines for non-compliance, NIS2 imposes direct obligations on “management bodies”; those charged with implementing and supervision of compliance with legislation. Penalties include fines, and banning people from managerial functions.
However, despite the above, regulatory regimes will continue to vary by nation, despite the effort of regional bodies such as the Gulf Co-Ordination Council’s Telecommunications Legislation and Regulatory Committee and the United Nations’ International Telecommunication Union (ITU). Telcos must therefore take legal advice to understand their relevant security obligations (and perhaps even executive liability) depending on their geographical area of operations.
What is the outlook?
Telcos and CSPs are facing complex threats to both their systems and employees; from external actors, malicious insiders, or lapses in imposed regulatory duties. Against this, organisations can seek to manage the risk, whether via deterrence/reduction, avoidance, transference or acceptance methods.
This is best done when informed by credible and timely information to allow informed decision making. This can be gathered from organic assets (such as well tuned Security Information and Events Management (SIEM) systems), or from external sources (such as Threat Intelligence tasked to an organisation’s unique information requirements).
The end goal of all these activities is to help decision-makers better understand the operational environment and be empowered to support their organisation’s mission. Achieving this advantage in decision-making is no mean feat, but imperative amidst today’s threat landscape.
Subscribe to The Digital Thread from BAE Systems Digital Intelligence
Stay up to date with our experts' perspectives on the latest trends, issues and technologies sent directly to your inbox.