Government agencies are increasingly attacking telecom operators’ infrastructure and applications to establish covert surveillance (case #1). These sophisticated actors typically use very advanced persistent threats (APT) that can operate undetected for long periods of time. Communication channels targeted for covert surveillance include everything from phone lines and online chat to mobile phone data. There have even been cases where one nation’s cyber-attack prevented another nation’s leaders from communicating on their mobile devices.
Given that telecom companies control critical infrastructure, the impact of an attack can be very high and far-reaching. In fact, even the false claim of an attack can force a telecom company to shut down critical services that consumers and businesses rely on (case #2).
Customer data is another popular high impact target. Telecom organisations typically store personal information -- such as names, addresses and financial data – about all of their customers. This sensitive data is a compelling target for cyber-criminals or insiders looking to blackmail customers, conduct identity theft, steal money or launch further attacks. Information can be lost in a variety of ways that may be as simple as a stolen laptop (case #3). Of course, laptops can be lost or stolen in any sector; however, the problem tends to be worse in telecom because employees in this sector often serve customers as part of a call centre or help desk function and may have large amounts of sensitive customer data stored on their laptops.
One critical threat unique to the telecommunications sector is the attack of leased infrastructure equipment, such as home routers from Internet Service Providers (ISPs). Once the equipment has been compromised, hackers can use it to steal data, launch other attacks anonymously, store exfiltrated data, or access expensive services such as international phone calls. To avoid upsetting customers, telecom companies generally refund any charges associated with such attacks, often resulting in significant lost revenue.
Organisation
A very large international mobile phone provider.
Scenario
Cyber spies gained access to mobile communication channels for surveillance purposes by incorporating malicious software on a spoofed social media page of privileged users within the company.
Attackers and motivation
The attackers were associated with a government agency that wanted to spy on large groups of mobile phone users.
Techniques used
The attack was an extremely sophisticated combination of several techniques. The attackers first spoofed the personal social media pages of privileged users within the company. The spoofed pages then installed malicious software on the users’ computers, taking advantage of their elevated system privileges to penetrate deeply into the company’s network. This ultimately allowed the attackers to access mobile communication data for surveillance purposes.
Business impact
The size and scope of the attack did significant damage to the organisation’s reputation and confidentiality of the infrastructure. It also fuelled customer concerns about privacy, which is a major issue for the entire telecom sector.
Organisation
A large internet service provider (ISP), hosting a nation’s critical infrastructure.
Scenario
A teenage hacker gained access to hundreds of the ISP’s servers and then published a list of user names and passwords he claimed to have stolen from them. This forced the company to temporarily suspend the email accounts of all affected users. It later turned out the data was obtained from a different company and not the ISP.
Attackers and motivation
The attacker was an individual teenager who was hacking for fun and ego gratification, bragging about his accomplishments in online forums.
Techniques used
A vulnerability in a website not related to the affected company was exploited to export data from the database containing customer information. The attacker then selected all users having email addresses from the ISP’s domain in order to make the public (and the ISP itself) believe the ISP had been compromised.
Business impact
The ISP did not have the proper processes in place to determine if it had been compromised or not and thus had to assume the published data had been stolen from its systems. In response, it was forced to suspend all affected email accounts, which angered a lot of customers and prompted many to switch to another email provider. Also, the fact that the ISP could not conclusively determine if the leaked data had actually originated from its systems gave the impression the company did not have a very good handle on security breaches.
Organisation
A very large cable service provider that offers television, internet and mobile telephone services.
Scenario
One of the organisation’s employees – in violation of company policy -- had stored a lot of sensitive customer information on his laptop. The laptop was an older model and the data was stored unencrypted. Personal information for 40,000 customers was lost, including client numbers, names, email-addresses, postal codes, genders and parts of bank account numbers.
Attackers and motivation
The attacker was a petty thief who was interested in the laptop, not the data. In fact, it’s likely he didn’t even know the data was there.
Techniques used
Although the technique of stealing a physical laptop was not sophisticated or specifically relevant for the Telecommunications sector, the type of data that resided on it was.
Business impact
It’s unclear whether the stolen data was used maliciously since the thief may not have even realised it was there. However, all affected customers had to be informed of the incident, leading to loss of trust. Also, extensive media coverage caused significant embarrassment and reputation damage for the company.