Telcos: The Supply Chain Attack You're Not Ready For

Third-party risks from supply chain attacks are increasingly of concern following high profile incidents like we saw against IT services providers SolarWinds and Kaseya that led to security breaches at thousands of organizations worldwide. 

Telecom companies transmit and store large amounts of sensitive data, so it’s no surprise they are a prime target for cyberattacks from nation-state actors conducting geopolitical espionage and corporate espionage as well as criminal cyber gangs looking to make a quick profit.

Sure, Telcos spend tens-of-millions of dollars annually on cybersecurity, yet many still lack the visibility into their networks to effectively detect and respond to complex cyberattack campaigns. Despite the critical nature of the services Telecoms provide, they continue to fall victim to targeted attacks that put their clients at risk. 

Compromise One, Compromise All

For attackers, supply-chain attacks are an effective strategy: compromise one to compromise all. Given that Telecom companies control vast amounts of critical infrastructure, the impact from cyberattacks can be very far reaching–not just for the compromised Telcos, but also for their vast customer base whose data is also at risk. 

For example, this September (2022), Optus–the Australian mobile phone business unit of Singtel–revealed that attackers had accessed the personal information of nearly 10 million customers, which is more than one-third of Australia’s population. More than two million customers had personally identifiable information compromised in the attacks. 

The stolen data included passport information, driver's license information, government-issued medical identity data and more. The attacks elicited concerns about large-scale medical and financial identity theft and fraud–and this is just one of many serious Telco breaches. These attacks can also have a significant impact on a victim organization’s brand, reputation, and viability on the market.

For more than a decade, Cybereason has been tracking the most notorious nation-state threat groups and disrupting some of the most significant attack operations targeting telecoms ever discovered.

Operation DeadRinger

In 2021, Cybereason researchers investigated three clusters of espionage activity targeting Telcos located in Southeast Asia. Dubbed Operation DeadRinger, the intent of the attacks was to maintain continuous access to Telecom networks in order to collect sensitive information from their customers. 

The attackers, assessed to be operating in the interest of China, compromised billing servers that contain Call Detail Record (CDR) data as well as key network components like the Domain Controllers, Web and Microsoft Exchange servers.

Cybereason researchers also discovered the attackers were stealing data stored in the Active Directory, compromising every single username and password in customer organizations along with personally identifiable information, billing data, email server data, the geolocation of users and more. 

Needless to say, massive amounts of data were being stolen and the ultimate cost to organizations with respect to the loss of intellectual property, trade secrets, and competitive advantage in the marketplace is difficult if not impossible to ascertain.

Operation SoftCell

In 2019, Cybereason researchers detailed the infamous Operation SoftCell attacks targeting global Telcos. The operation was carried out by threat actors using tools and techniques commonly associated with Chinese government sponsored attacks.

The attacks impacted at least ten Telecommunications providers and affected hundreds of millions customers in 30 countries across five continents. Cybereason discovered that the multi-stage attacks began at least seven years earlier in 2012, and focused on obtaining sensitive data from high-value targets such as political figures and government officials, business leaders, perceived “enemies of China” and dissident activists. 

It is estimated that intellectual property loss to espionage operations like SoftCell are in the billions of dollars annually, and that such operations have been a significant factor in China's rapid ascent as a major economic power.

More than Data at Risk

No organization wants their sensitive or proprietary data stolen, but since such attacks don’t have the immediate effect of disrupting operations like a denial of service or ransomware attack, they are often a lower priority. The reality, though, is that intellectual property theft can have a far-reaching impact that is vastly more costly than other cyberattacks.

Companies invest millions in R&D to produce innovative processes and products and gain an edge over competitors. That edge is erased when one of those global competitors steals intellectual property. Suddenly, rather than having an advantage, they have to compete in the market against your own innovation from a competitor that can undercut them on cost because they don’t have R&D expenses to recoup.

Supply chain attacks are an issue every organization needs to take seriously, and nowhere is the threat more prescient than with Telecommunications providers. In addition to the economic threat, a nation-state adversary with access to blueprints, formulas, diagrams, and other proprietary data can leverage that information for more nefarious objectives than just corporate espionage.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed