Are Politically Motivated Cyberattacks A Threat To Democracy? by Imran Saleem

hello everyone so um uh um my name is Imran and probably I'm going to give some insights on uh things that are happening in Mobile infrastructure so I think uh usually people talk about uh more or less you know threats that are originated or you know kind of focused on Enterprise but I think based on what we have been looking in in the Telecom signaling we see a lot of massive activities that are that are supported by nation-state groups and the purpose of the talk today is just to give you some insights and how we capture them what were their objectives you know and you know how we were able to detect all these activities uh so just quickly giving my introduction um again as usual you know I'm just a person like you doing research trying to bring out um activities that are interesting and uh kind of looking into uh new attacks and then reporting it to the relevant groups and making sure that the community get gets uh most out uh gets uh benefits out of our research so um the last talk I have been engaged in was black hat Asia and I gave the same theme it was interesting there were a lot of questions there mostly on you know how we were able to detect all these nation state activities um I'm also a member of panel of expert at gsma and our research has been acknowledged at various platforms so just giving a brief agenda uh you know what are we going to speak today and uh things that we are going to cover in the talk today uh it's more on what are the interconnect and the threats around it uh how do we classify attacker groups in mobile networks we know people around in Enterprise there is no difference um on on the attackers analogy here so you will basically know a lot of things are pretty much similar there are interesting insights on U.S withdrawal from Afghanistan and I wanted to precisely mention you know we were able to capture uh some bits of interesting information there we were also able to capture intelligence around Ukraine Russian conflict and uh probably going to walk you through in a while and then the financial impact I think operators basically care about financial losses you know and um again you know uh it's not necessarily that uh the objective of the attacks are only targeting specific set of people it can basically expand beyond that and in in certain cases it can incur losses towards operators and again some general recommendations so uh quickly moving forward you know um so I think there are different areas in Mobile operators you know where you can actually start your activities but the focus of the talk today is more or less on the interconnect side which is marked here in red and most of the threads that we actually see in mobile networks are either either coming from the interconnects or you know either they are coming from the radio interfaces but the radio side is not covered in the talk today it's mostly on the interconnect side uh so so um so there are two aspects uh the The Operators usually focus on the fraud and the security and you know they actually go hand in hand and there is a very thin line between fraud and security for mobile operators so um I mean on the on the top left you would see uh these are the attributes that are more focused on fraud so which means there's missing spamming spoofing uh you know there are certain activities a to P grade routes which is basically way one way of you know incurring losses towards operators and if you go on the on the right bottom side so this is where you know your actual attacks happen and you know uh the attackers are more focused on doing surveillance um you know kind of doing interception and there are certain tons of other activities uh in in the past our organization was engaged with um you know some International organizations uh in order to locate the activities from Pegasus and Tech Lab and all those activities were ex you know started all the way from the signaling Network so we have a very good Insight how those activities started and you know uh what were their objectives so so it's not like mobile network security uh does not have any you know security controls in place there are a lot of security guidelines you know being governed by gsma Authority people like us when we find research we've when we find vulnerabilities we kind of you know do a contributions to what the security guidelines so it is available for The Operators but again that's not uh you know an absolute Maya to to judge your security posture so there are security controls but I think you know these are also accessible to attackers and X I'm going to explain how these documents are also available to the attacker groups so just a brief on on the interconnect architecture so for the people I know uh probably coming from the Enterprise background so the the interconnect which is basically one way to establish communication between operators is where the attacks usually happen so you know if this is a home network which is basically in UK you might expect an attack coming from either you know another country um so all these kind of signaling that happens when we are roaming or we are in the country uh you know that can precisely be used to perform a lot of a lot of attributions on the subscriber so what hacker can do attackers or hackers can do is they basically they can inject malicious messages into signaling and they can you know perform certain types of activities yeah so just going back on on on what we are trying to achieve today so uh the Basic Talk was basic to you know give you an Intelligence on what we captured but before going forward you know just wanted to give you uh what we actually do we are as you know a company who provides Security Solutions to operators and out of 10 you know nine operators have our Solutions deployed so we have a very good visibility across mobile networks and that gives us unique uh you know advantage of looking into malicious signaling uh the purpose is not to uh you know the only purpose is to identify malicious actors so we are not harvesting information but we are looking for uh you know malicious activities and the objective here is to categorize and understand the analogies of attackers so looking back into how these attacker groups originate their activities they we wanted to give you an Insight on the the the expertise they have and I can just give you a glimpse of that they have all sorts of understanding on how signaling works they have their own stack uh they are quite connected so which means that they work in groups and they are they work in clusters and they also have access to all these security guidelines that you have seen previously in the previous slides they understand uh you know what are their needs and objectives and they also understand that operators are not doing enough and they are not looking for unknowns so the the understanding for them is operators work by book so if you have certain Securities policies in place they don't go above and beyond so that gives them you know a unique advantage and they exploit them very well so so what we have captured here is uh you know trying to categorize all these group of actors that we have seen in past uh starting from script kitties um uh based on what we have seen their their Stacks are broken so which means that they are their messages are usually malformed so it's quite easy to detect them gray rot operators again they are more focused on on fraud which means that they want to terminate uh you know sms's towards operator and incur revenue losses to them surveillance companies and this is one of the very important areas for operators they don't want their subscribers to be uh attract and there are companies in place which basically perform surveillances uh on behalf of either you know companies who request them to do it um so they are I mean based on their attributes what we can with what we have seen here is um you know they have a very strong footprint which means that they work in in different parts of the of the world so they are not really focused by originating messages from one region so that's why they work in clusters and um and they have a very strong understanding uh on the signaling side State actors they work hand in hand with surveillance companies so sometimes they establish a kind of you know communication along with them and they can also engage criminal service organizations but before going towards that actor group State actors and the theme of The Talk today is to establish you know how these groups are operating um so the state actors are more standard uh they know their objectives but they actually coordinate with criminal service organization then surveillance companies um so the the criminal service organizations they're focused and their the entire um you know criteria is actually uh to perform uh account takeovers um so now this can be an account takeover for the bank account it can be a social media account takeover um it can basically be any account that is crucial for the customer because it happens based on need and demands and again usually people do not understand there are audit companies as well so when we are doing uh you know a validation on the global signaling there are patterns which tends to be very similar to the attackers and sometimes operator tends to consider them attackers as well uh but they are audit companies who also perform them um so they are the good guys and then the Dos agents um we have been seeing an increase in DOS agents and they are basically able to bring down Network elements so I'm I'm not surprised all these groups types of groups must be operating in the Enterprise world as well so uh The Operators usually think you know that their role is to just Place firewalls and make sure that you know they're they're updated uh and they consider whoever their partner is that's a trusted entity uh but I think you know that's a false assumption um and that's why I kind of written here in your trust is not a cyber security strategy for the operator it does so um uh so I think yeah just this is just to give an Insight on what have been captured previously and if you have to look into the historical Outlook activities in past so these activities are focused on the Enterprise and we can clearly see there are certain groups who were engaged in past targeting financial institutions targeting you know countries for a reason so so uh nation state as as a phenomena did exist in past it happened it is happening and is going to continue so and you can clearly see here Russian State activity in 2007 Russian State activity in 2008 again Russian State activity 2017. so uh so I think the objective here is the same applies to the telecommunication Network because the the infrastructure is quite massive these services are quite dependent on the Telecom infrastructure so if you are able to bring down part of that you're actually going to lose a lot of a lot of services a lot of Revenue a loss to subscriber confidence subscriber the confidence of subscriber is lost so one of the examples that I just wanted to it just came into my mind was during the initial time of the conflict between Ukraine and Russia they were fake operators tends to or you know tends to come up at the borders so the reason for that was to to make sure that the subscribers were able to latch on those networks although they were fake but you know their services was legit so the understanding was to make sure they use that infrastructure and intercept a lot of communication that was happening on the borders because border areas are usually very fragile for operators due to several reasons because of the network coverage it can be basically due to several reasons you know that is a gray area for operators so these operators tends to establish their footprint at the borders and then you know they operate for some time few months and you know just uh it's just uh you know kind of dismantle their their setup and you know move away from there so so we just wanted to give you uh a kind of a brief on whatever activities happens in a specific region the reflection of that activities are available on mobile infrastructure so if you have the right spot to find out the activities you will be able to locate what has been happening and this is what happened during the U.S withdrawal from Afghanistan and there is this is a very interesting uh bit of information here because what we have noticed during the time of uh analysis we see all these political events that were happening were directly relating and being seen on the mobile network infrastructure so just starting from you know you know some bit of historical out historical outlook here so in 2020 February 2020 you know Trump Striker deal with Taliban you know they just wanted to get out of that specific region and and the deadline for that was May 2021 and this was basically endorsed by Biden so when Biden took took the administration uh their their team actually extended that to September the same year so if we are to look into that specific time when all this was happening there were certain activities that we were able to capture now this is attacks focused on Afghanistan these are attacks focused on subscribers Afghanistan these are attacks focused on subscribers who are roaming in Afghanistan and clearly we can see here starting September 2020 up till February 2021 this is the time when Trump Administration you know sign a deal there was no activities that were targeting Afghanistan so the reason probably the area was not of Interest and immediately after that we clearly see the spikes and in the next few slides I'm going to walk you through what type of activities that relates to and by the end of the year we can see this is when the exit was supposed to be and we see at the late year the activity was fading away now these the threat actors the the actors who were behind all these activities we knew about them already we knew they had links which state at State nation states and they were supported by some other sources um and they were clustered so so what were their objectives and targets we knew they were targeting the country we knew there is a specific need and objective so the primary target was that specific country and then the secondary targets were rumors or the subscribers who were in Afghanistan they were also being targeted based on our intelligence we see the potential victim organizations were news and media Outlets ngos and government institutions and the motives and objectives were [Music] um MZ Gathering now I'm not sure if people uh around here the MZ is an identifier that is in unique and in every subscriber is being allocated in MZ when you have a SIM inserted in your phone so the entire idea was to capture themesy now MC is not known to subscriber you know your mobile number but you don't know your MZ unless and until you kind of use a special code on your on your phone and be able to kind of extract that once you have that teams in place you're able to perform a lot of other attacks like call interception SMS interception account takeovers so supported by that was location tracking and surveillance um and at at some instances we were able to see they were doing interception at Radio level so which means that if you have heard about MZ catchers or the jamming devices you know they are placed in a small vicinity of the victim and you know using that you know area they were basically doing interception at the radio level so which means that it was coordinated there was somebody available on on ground helping those actors execute the entire operation and the threat the threat indicators were actually trying you know they were clubbed with the bypass techniques in order to make sure that you know they they meet their objectives so so this is the level of intelligence that we are were able to capture during a specific uh you know set of activities again all these activities that happen in a specific region usually have uh you know is is usually reflected all the way uh on the mobile networks again because mobile networks are one way uh you know to execute your operation but it's not the only way so so the question here is uh does political you know shift in the region can drive cyber attacks even if you know there is no political shift set of events in that region can also Drive cyber attacks and you know one of the examples were very good examples was uh you know this this specific event when when the U.S troops were you know exiting that specific region so is Ukraine and Russian conflict different than what we have seen in in the few past few slides and this is set of timelines I know this is not very clear but all these timelines are captured from europol so it's not something created by my by by me but this is set off at all the type of attacks that we have seen captured and logged onto europol website and the ones highlighted here are the ones which were more focused on Telecom infrastructure now starting from denial of service bringing down an ISP bgp prefix hijacking um some other types of attacks they were all focused on Telecom infrastructure and they knew if they are able to bring that down they are actually going to cut the communication so uh so what is interesting in that so all these attacks that we have seen were focused on one country and why is that because all these activities were not only originated by one group it was coordinated and they were quite consistent and I think one of the reason that we have seen they have been sharing intelligence uh within uh their groups as well so that brings to the next light so this is this is an understanding on the Russian activities that we have seen in the past so if you are to go back in 2020 2021 we see very low activities from the group but there was a sudden increase since the conflict started so you can see there is a massive increase of 250 times comparing to what was actually there in 2020 2021 now all these activities that we saw were supported by pass and the key fact about all those activities that we saw and notice they were using fuzzing techniques so which means it was quite obvious for them and they wanted to see how the networks were responding and how vulnerable networks were because fuzzing is the best way to understand the network behavior and this is what they were trying to do and they were actually successful um to an extent so and again this these are real examples that we captured and we can clearly see here the large amount of you know activities that we have seen they were targeting not only specific region or a country that was actually beyond that so which means Ukraine was not the only country they were targeting other NATO countries as well the attack intensity was quite High and um the coverage was also uh you know it was an extreme for them the the state actors they are still active and they were also targeting inbound roamers so inbound rumors are or are set of people who are roaming in a different country and for mobile operators if their subscribers are roaming in a different country they are unable to secure them so that makes them more vulnerable so they knew they are roaming they were trying to uh use that opportunity and then actually execute the executed the attack so their activities for zero day we were able to capture them and the objectives were identity impersonation identity spoofing and they were using fuzzing and in the entire activity that we captured at that specific instance they were targeting around 60 plus countries and uh yeah so these are the set of attacks involved that we were able to capture starting from networks Discovery they were mapping um and scanning Networks again MZ extraction and profile extraction so if we are able to extract a subscriber profile from an operator through using uh malicious execution or the code your you actually have the entire data set require