Espionage and data exfiltration: Anssi reveals the greatest cyber danger for the telecom sector

Would the French telecom infrastructures be strainers? While it describes the sector as “supercritical”, the National Information Systems Security Agency (Anssi) says, in a report, that it has been informed of more than 150 security events in the telecom world over the past three years, nearly fifty of which required its intervention.

Two-thirds of the events concerned affected “des strategic companies in the sector “, some of which required ” an important operational commitment from Anssi”.

The agency identifies three main families of threats. In his eyes, the most worrying relates to espionage operations with exfiltration of data. « Reputed attackers linked to Chinese and Iranian strategic interests are documented as very active in this area “even though the incident history shows that” the sector is regularly targeted by more diverse strategic actors. »

A national operator attacked by a Chinese group

In the case of the “Soft Cell” operation, hackers linked to China would have sought to exfiltrate Call Detail Records (CDR), which include call recordings with their sources, destinations and call durations, as well as information on the devices used and the physical location of the devices, allowing the analysis of the behaviors and relationships of the targeted people.

During this operation, the attackers would have also searched for data contained in the Active Directory of the compromised operators, as well as billing information. In France, the Anssi dealt with the compromise in September 2020 of a national operator through an attack operating procedure (MOA) deemed Chinese, “ for the probable purpose of espionage. »

Compromise of the core network

In recent years, the agency has observed a worrying increase in compromises affecting equipment, in particular routers in the operators’ core network. « These attacks, of a high level of sophistication, are often carried out over a long period of time and are difficult to detect. They compromise the integrity of the operators’ network and allow attackers to have direct access to the communications of strategic entities and individuals”. This impacts the confidentiality of the data exchanged.

Satellite equipment is also seeing its uses diverted by certain groups linked this time to Russia” in order to conduct espionage attacks against targets around the world”. In the case of the Turla MOA, it is a question of spoofing the IP addresses of terminal equipment and intercepting the downlink traffic, often unencrypted, from the satellites to the terminals. The authors ” exploit weaknesses in the protocols without compromising any satellite equipment. »

Destabilization operations of the hacktivists

Another type of threat: attacks aimed at destabilization. This time, they are mainly the work of hacktivists who practice blackmail to distributed denial of service (DDoS) and the exposure of personal data associated with political demands. « Larger-scale operations and for sabotage purposes remain a major threat to the sectorr”, estimates the Anssi.

For this purpose,” the attack that targeted the KA-SAT satellite communication network on the night of the Russian invasion of Ukraine in February 2022 showed the massive impact of a sabotage operation ». Attributed to Russia, it has put several tens of thousands of modems out of service, including a large number in France.

This threat of sabotage is in addition to the physical destruction regularly observed in the sector, whether it is intentional cable cuts or physical destruction of infrastructure. Malicious acts can occur in the context of an armed conflict, as in Ukraine, or not.

On the night of April 26 to 27, 2022, the French fiber optic network suffered acts of vandalism. Hacktivists – from the ultra-left according to The JDD – have severed, in a concerted manner and in three different regions, long-distance cables. In Grenoble, Besançon, Strasbourg or Ile-de-France, customers of Free and to a lesser extent SFR have had their connection severely disrupted.

False relay antennas

Finally, the Anssi evokes attacks for profit ” frequent in the telecommunications sectors”. A significant part of them concerns communications fraud. Subscribers are redirected to premium-rate numbers without their knowledge or victims of scams, cybercriminals usurping national phone numbers. « Cases of spam or phishing by SMS have also been linked to false mobile relay antennas making it possible to massively send messages to mobile phones located in a specific geographical area. »

Professional customers are targeted by attacks targeting internal equipment such as PABX or PBX. « By exploiting known vulnerabilities, attackers can make calls, or even set up ephemeral low-cost international calling services sold on the internet, which use the networks of a victim company. »

A “supercritical” sector

Beyond the indirect reputational risks, operators are also targeted by opportunistic attacks taking an interest in the mass of personal data held by operators. « The data then exfiltrated is resold by cybercriminals or is used as part of ransomware attacks as blackmail for the disclosure of data. »

Anssi does not relieve operators of their responsibility. She reproaches them for favoring” the availability of their services, sometimes to the detriment of data confidentiality and the integrity of information systems ».

The size of the operators’ networks and their heterogeneity following successive acquisitions and the large accumulated technical debt” complicate their security and makes it even more crucial to take into account the threats targeting this sector. “The latter is qualified as “supercritical” because of the systemic consequences that an incident can generate on this type of infrastructure.