Written by Roland Daccache, Systems Engineer Manager MEA, CrowdStrike
Telecommunications providers play a unique and crucial role in modern societies. Businesses, governments, and individuals rely on the smooth functioning of communications. However, it is precisely this centrality and ubiquitous presence of telecommunications systems that also make them valuable targets for governments and criminals worldwide.
Targeting the telecommunications sector is becoming more and more popular
The latest Overwatch Report from CrowdStrike shows that attacks on the telecommunications industry have more than doubled in the last 12 months. Overall, 40 percent of all targeted attack attempts detected by OverWatch experts were directed at this industry. Especially for nation-state actors, this target industry is very attractive, because targeted attacks can be used to realise their own surveillance, intelligence, and counterintelligence missions. It comes as no surprise that the telecommunications industry tops the list of the top 5 industry targets among nation-state actors.
Most attacks on telecom companies come from groups close to China. However, actors with an Iranian background have also been spotted attacking the telecom sector. The operations against telecommunication providers illustrate that the protection of sensitive data and critical infrastructure is becoming increasingly important. One more reason to take a close look at the constantly changing threat landscape and its actors is to find effective methods against their tools, techniques, and procedures (TTPs).
Attacks on the telecommunications industry – The typical TTPs
To gain initial access to their victim networks, communications sector attackers use a variety of techniques. Among the most common is spear phishing, exploiting vulnerabilities, compromising the supply chain, and misusing legitimate credentials.
Once the first step is taken, the attackers use native tools such as Windows Management Instrumentation or even various command and script interpreters such as Powershell to carry out their mission. To avoid detection and be able to carry out the attack without interference, the perpetrators keep looking for new hosts that offer the possibility to collect credentials to continue moving laterally through the target environment unnoticed.
To grab the desired credentials in Microsoft environments, attackers often use Mimikatz, read LSASS memory (often via comsvcs.dll or using ProcDump), or modify the WDigest registry key to store passwords in plain text.
In Linux environments, attackers often look at the contents of sensitive files, such as .bash_history, passwd, shadow, and other configuration files and administrative scripts when trying to discover credentials. OverWatch has also observed attackers using newer techniques. For example, in one case, an attacker deployed SSH daemons via a backdoor that was capable of logging credentials.
Cyber attackers also often use web-based login pages. They are modified in such a way that the login information can also be stored for later retrieval. Thus, hackers are no longer under time pressure for their initial access. So-called web shells also make it possible to manage multiple victim networks via a single interface. This leads to the very real danger of multiple attacks being launched simultaneously by one hacker group.
This is because the effort required to carry out operations is thus considerably reduced for the attackers. In addition, web shells can be used because of their simplicity and cross-platform compatibility or in different web server environments. With all these tools, actors manage to know when, how, and where call details and SMS messages are forwarded and recorded in order to strike.
Collateral damage from hacker attacks
To disguise their true goals and intentions, attackers often carry out very large-scale data exfiltrations. In reality, however, they are often only interested in specific information from very few people. The damage caused is therefore often immense. It is therefore all the more important to identify and stop the attackers. However, this undertaking is often more difficult than expected, because criminals often have extensive knowledge of a target network and are therefore difficult to distinguish from legitimate administrators.
A comprehensive cyber defence that also detects and successfully defends against these activities is therefore indispensable, especially for critical infrastructures. To successfully counter the tactics and techniques of modern attackers, it is advisable to rely not only on the latest technologies but also on human know-how and active threat hunting. These specialists tirelessly search for novel and anomalous tactics, techniques and procedures (TTPs) of attackers that remain undetected by technical detection measures and stop them as soon as they are identified.