• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

China Linked Hacking Group Compromises 13 Telcos

October 26, 2021 By Trevor Collins

Many cellular network protocols don’t have clear documentation explaining them, especially when it comes to the proprietary protocols used by 4G and 5G networks. This makes them difficult to understand by the average person, but also potentially vulnerable to anyone willing to take the time to research them and find issues. We haven’t yet seen attacks on these new protocols that outright break them, but I find that adversaries often find other methods that might give them the unauthorized access they want. For instance, instead of accessing the connection between the cellphone and cell tower I’ve found reports that hackers compromised the General Packet Radio Services (GPRS).

Attacks targeting internal Telco background services have increased in recent years, with examples like the Syniverse SMS attack and the T-Mobile breach. The T-Mobile breach occurred because of a compromised GPRS development server. Most recently CrowdStrike identified the hacking group Lightbasin, who have links to China, compromising GPRS servers.

In business-to-business connections and partnerships, the Telco community seems to lack the same security measures as it applies to its connections to the external Internet. The Lightbasin group used DNS services and a GPRS tunneling protocol to move laterally between Telcos and compromised servers. Using this method, they compromised 13 Telcos, none of which were named.

Outside of Telco companies no one really uses that GPRS tunneling protocol. However, we do use DNS services and other less known protocols. With breaches happening all too regularly, we must inspect the communications between our business-to-business connections using security controls like a DNS proxy. You should have security controls that inspect any inter-business network communications, even if using unique protocols. This way even if the business you have a connection to becomes compromised you may still detect an issue and remain protected.

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use