The Wire on Fire: The Spies Who Loved Telcos
Telecommunication providers are frequent targets of espionage and cybercriminal activity due to the sensitive data they hold. From close-knit groups with strategic interests, such as LightBasin and APT41, to loosely affiliated assemblies, such as Lapsus$, the security of Telcos is under constant threat.
In this talk, we review recent targeted attacks against telecommunication providers. We provide insights into a variety of threat activities whose understanding is relevant for better defending against them - from initial infection vectors, detection evasion techniques at malware implementation- and network-level, to OPSEC awareness levels threat actors exhibit. We peek into the current Telco threat landscape to provide relevant takeaways for defenders and foster further discussions on the topic.
We provide below a draft structure of the talk, highlighting the main points covered as part of each of the following talk structure units:
- An overview of known threat actors targeting telecommunication providers
- Introductory information about the intrusions and threat actors we focus on in this talk. These include: WIP 26, Metador, LightBasin, and the operation Soft Cell (Tainted Love) actors.
2. Initial infection vectors
We focus on two types of observed initial infection vectors:
- Social engineering via communication IM platforms, such as WhatsApp.
- Vulnerability exploitation in Internet-facing servers.
3. Post-intrusion activities
We focus on demonstrating how much threat actors invest in evading detection and analysis. We structure this talk unit into two separate sub-units. The first sub-unit focuses on activities observed at system/endpoint-level, whereas the second on activities at network-level.
The amount of the technical content and detail will be adjusted such that it highlights only certain aspects and allows presenting on it in a timely manner.
3.1. System activities
This includes discussions on:
- Observed attempts for terminating processes of detection mechanisms
- Observed malware obfuscation and packing techniques
- Observed techniques at malware implementation-level for evading detection by monitoring agents, for example, inhibiting logging by terminating EventLog threads, and reflective image loading.
- Observed anti-forensics techniques, such as timestomping and elimination of log evidence.
We emphasize that threat activities may not be concentrated into a single, limited time period, but can be spread over longer time periods in an attempt to evade detection.
3.2. Network activities: C2 communication
We emphasize the rising trend of espionage threat actors abusing public Cloud services for C2 communication purposes in an effort to make malicious traffic look legitimate.
We discuss how the CMD365 and CMDEmber backdoors interact with Cloud-hosted C2s, put in the context of related research by colleagues, such as the SIESTAGRAPH backdoor.
4. Threat Actors’ OPSEC awareness
We emphasize that threat actors exhibit different levels of OPSEC awareness, making them easier or harder to detect and/or attribute. We achieve this through:
- Contrasting the somewhat loose OPSEC practices observed at the WIP26 actor with those observed at Metador.
- Discussing a successful detection scenario based on the threat actor conducting a broad port scan.
We provide takeaways and recommendations for defenders, with the additional goal of fostering further discussions on the topic. These include:
- A reminder about the importance of educating end-users about social engineering and phishing attacks: The focus should be not only on recognizing phishing emails, but also suspicious IM communication.
- Developing capabilities for clustering threat activities and monitoring them over mid- and long-term periods.
- Developing capabilities for recognizing malicious traffic amongst legitimate traffic with known network services of good reputation, such as known public Cloud instances.
- Developing practices for evaluating the health of deployed detection mechanisms.