Deciphering the evolving threat landscape: security in a 5G world
- Cyber attacks on the telecom sector are on the rise, fueled by geopolitical influences, making it more critical than ever to understand the evolving threat landscape.
- 5G technology and cloud transformation bring new use cases but also vulnerabilities, necessitating robust cybersecurity measures for telecom operators.
- We explore the current threat actor landscape, giving insights into their motivations, opportunities and capabilities.
Mobile networks are the backbone of our connected world, not only helping people stay in touch but also supporting crucial business operations, mission-critical applications and everyday services. Unfortunately, their pivotal role also makes them – and the communication service providers (CSPs) who operate them – attractive targets for threat actors, including state-sponsored groups, cybercriminals and even insiders with malicious intentions.
Security in a changing, interconnected landscape
The rollout of 5G is reshaping the telecom landscape: Digitalization is rapidly advancing in businesses and governments, deeply integrating connectivity into national infrastructure. 5G is becoming a fundamental part of enterprise IT/OT infrastructure and is also being integrated into private companies. Simultaneously, we're witnessing a surge in connected devices, an increasing convergence of IT and telecom ecosystems and a transition toward cloud-native technologies.
While these developments open up exciting new use cases, they also present more – and novel – opportunities for cyberattacks. As shown above, telecom systems can be vulnerable to various attack vectors. The necessity for proactively protecting our networks with robust cybersecurity measures has never been clearer. In this context, we have decided to launch this 5G security blog series – a journey that will not only explore today’s ever-changing threat landscape, but also delve into the challenges it poses for CSPs, the vital need for a holistic approach across the security stack, practical examples of the solutions and services available – and what you can do to protect your networks from the threats of today and tomorrow.
Get to know the playing field – and your opponent
To keep our networks safe and the essential services running smoothly, CSPs need to devise well-rounded strategies that encompass standardization, development, deployment and ongoing operations. But to successfully begin, they first need to know what they’re up against. To pose a real risk, a threat actor must possess three vital factors – motivation, opportunity and capability.
1. Motivation
To defend against threats, we must understand why they occur. Threat actors typically fall into one of four main categories: Advanced Persistent Threats (APTs), cybercriminals, hacktivists and insiders. When it comes to telecom networks, their driving motivations are usually personal, political, ideological or fiscal benefits, with goals often revolving around financial gain, surveillance and espionage or disruption and sabotage.
The four main threat actor categories and their motivations
Advanced Persistent Threats (APTs)
Goals:
- Surveillance
- Espionage
- Sabotage
- Often nation-statesponsored.
Motivated by political gain.
Cybercriminals
Goals:
- Information theft
- Fraud
- Blackmailing
- Cryptocurrency
Motivated by financial gain.
Individual / organized crime.
Hacktivists
Goals:
- Sabotage
- Disruption
- Attention
Motivated by ideology or attention gain.
Individuals or organized groups.
Insiders
Goals:
- Information theft
- Sabotage
- Espionage
- Brand damage
Malicious insiders work for own benefit or for third party.
Motivated by financial gain or frustration.
Financial gain
The adoption of 'big game hunting' tactics, where cybercriminals target high-profile organizations for financial gain, has led to a significant rise in ransomware attacks against CSPs. Primarily impacting their IT infrastructure, CSPs are attractive targets due to their storage of valuable personal and business data, which can be exploited for financial gain.
Surveillance and espionage
Surveillance and espionage are among the top motivations for targeting telecom networks. They are driven by the desire to gather sensitive information and intelligence from these critical communication channels, and their activities often involve sophisticated techniques and technologies employed by nation-states and threat actors with specific geopolitical interests. Espionage often revolves around obtaining call metadata, particularly Call Detail Records (CDRs), making customer billing and care systems the primary objectives. This data can then be exploited directly through data breaches or for other illicit activities like SIM swapping.
One example is DecisiveArchitect, a threat group targeting global entities, especially telecommunications companies, which aims to obtain specific user information, such as call records and phone number details.
Surveillance and espionage-motivated threat actors exploited vulnerabilities in Signaling System 7 (SS7) within 2G and 3G networks, utilizing weaknesses in the signaling system to gather intelligence and monitor communications. While 5G standardization has improved interconnect signaling security, there is still a likelihood that threat actors will search for vulnerabilities, including misconfigurations in 5G signaling.
Disruption and sabotage
Disruption and sabotage tend to be less common motivations when targeting telecom networks. However, in 2022 and 2023, there has been a noticeable increase in such attacks, particularly disruptive distributed denial-of-service (DDoS) attacks driven by global events, geopolitical tensions and the expansion of 5G technology. NETSCOUT has extensively documented these attacks, which target various countries and critical sectors like healthcare, energy and government services, resulting in collateral damage. However, it's important to note that, despite heightened geopolitical tensions, the anticipated surge in disruption attacks on telecom infrastructure has not occurred extensively.
2. Opportunity
To successfully achieve their motivations, threat actors also need specific opportunities. 5G networks have better security and privacy measures compared to previous generations. However, the merging of telecommunications networks with standard IT platforms blurs established lines, widening the attack surface and opening up new opportunities. 5G also involves more interconnected interfaces than in the past – and these can be vulnerable, highlighting the need for strong defense. Here we’ll explore key areas where weakness can occur – artificial intelligence (AI) and machine learning (ML), cloud native transformation, connected devices, software supply chain risks and application programming interfaces (APIs).
Artificial intelligence/machine learning
The incorporation of AI and ML into network operations has ushered in innovative capabilities but also exposed new vulnerabilities for threat actors.
The increased complexity of AI-driven networks poses a significant risk, as cybercriminals can exploit this to craft sophisticated attacks. AI can be manipulated to distort data, leading to erroneous decisions in network management and security. Adversarial attacks on AI models can disrupt network functionality, while the use of AI-generated deepfakes presents impersonation and misinformation threats. Supply chain vulnerabilities and resource-intensive security measures further compound the challenges.
In the context of machine learning, dependence on environmental data for learning can have adverse effects when unexamined data is involved, potentially leading to negative impacts on decision-making. Conversely, comprehensive data scrutiny can introduce privacy challenges. Many ML systems are adapted from other disciplines and may not adequately address the specific complexities of 5G networks. Deploying these systems in 5G environments can lead to serious security issues, including resource misuse, service disruptions, and data leakage.
Cloud native transformation
The shift to cloud-native architecture and the subsequent rise of edge computing introduces flexibility and new ways of doing things. But they also mean deployments are growing in complexity, requiring new skills from vendors and service providers and increasing the risk of mistakes and misconfigurations, resulting in more vulnerabilities. Vulnerabilities in virtualization, cloud services and network slicing can lead to unauthorized access to important resources. This shift also creates more avenues for intruders to potentially exploit to gain access.
Connected devices
With the widespread adoption of 5G, billions of devices are now connected to networks, and new devices are being created every day to serve emerging or tailored applications and purposes. However, not all of these devices have robust security measures in place. These masses of insecure devices could pose a threat to the network itself, disrupting other connected devices. Moreover, there's an opportunity that vulnerable devices can be exploited to target the control systems in different industry sectors.
Software supply chain risk
Generally, the more parties involved, the greater the risk of vulnerabilities. The technological shifts we mentioned earlier, like integrated IT platforms and cloud-native setups, rely more on third-party components. Most of the open-source code vulnerabilities are pulled in via indirect dependencies.
In 2022, publicly disclosed vulnerabilities shot up by 25 percent. Threat actors are getting faster at exploiting vulnerabilities, with scanning starting within 15 minutes of a vulnerability being announced. Despite these advances, most attacks still target older vulnerabilities, emphasizing the risks of outdated software.
Supply chain
- Software supply chain attacks increased 600%.
- Public repositories infected with malware (NPM, PyPI and Docker)
- Complex supply chain campaigns involving several 3rd party service providers (Okta, Twilio).
- Managed Service Providers are increasingly targeted.
Application Programming Interfaces (APIs)
APIs are also becoming more vital and prevalent – and all it takes is the bad design of a third-party program or API for an opportunity for exploitation to present itself, and sensitive data be exposed. This risk complexity increases as not only primary software suppliers but also service providers and managed service providers become involved.
3. Capabilities
We’ve mentioned how the IT ecosystem is becoming ever more entwined with the telecom ecosystem, which means we’ve stepped deeper into the realm that threat actors know best – and one where they have decades of experience. They excel in creating sophisticated and specialized malware and concealing their tracks. In previous years, hackers required specialized knowledge to target telecom networks, now they can use common weak points and easy-to-access resources and hacking tools.
They are also well-practiced at using various defense evasion techniques to hide their activities and operate unnoticed. They can blend in with normal internet traffic using everyday protocols like ICMP, DNS and HTTP, and use special telecom protocols to sneak past firewalls. Scattered Spider, for example, a highly active threat actor, has focused its efforts on targeting telecoms, demonstrating advanced social engineering skills and the ability to execute complex supply chain attacks.
Notably, the cloud-native transformation has also opened up new avenues for threat actors, leading to an uptick in cloud-focused threats. This shift has led to the targeting of virtualization technologies and a notable increase in Linux-based malware. Some threat actor groups are even selling malware and DDoS attacks as if they were menu choices, making it easier for less skilled attackers to cause trouble.
While 5G networks offer improved security, older network generations will persist for several years, creating interconnected risks that grow in complexity. Detecting and preventing attacks through these interconnected interfaces will necessitate a holistic approach and the development of well-rounded security strategies.
Common threat actor techniques simplified
Identity-based attacks: Identity-based attacks are a central technique in modern cyber campaigns. Failing to adequately protect against these attacks allows threat actors to gain access to victim environments and move laterally. A notable concern is the emergence of credential markets and access-as-a-service, where threat actors without valid credentials can buy machine identities and privileged accounts for unauthorized access. To effectively mitigate this risk, implementing robust multi-factor authentication and maintaining continuous monitoring of privileged accounts is of paramount importance.
Software and service supply chain attacks: Nation-state actors often engage in supply chain attacks, with the primary aim of infiltrating multiple organizations. Their approach involves stealthily exploiting shared software and support channels used by CSPs and their clients. To execute their malicious plans, threat actors may initially compromise the CSP's systems, acquire credentials, often through methods like social engineering, and then infiltrate client environments.
Vulnerability exploitation: Threat actors persistently use vulnerability exploitation in their campaigns. Swiftly addressing security vulnerabilities is essential, given that the time for exploits has significantly reduced. In 2021-2022, Mandiant observed an average time-to-exploit of 32 days, down from 44 days in 2020 and 63 days in 2018-2019.
Social engineering attacks include:
a) Phishing: This common threat technique uses deceptive emails or messages, often pretending to be from reputable sources, to trick people into revealing login information.
b) Vishing: Similar to phishing but involving phone calls, vishing attackers use persuasive communication to manipulate individuals into compromising security
Fighting back: securing telecom networks now and in the future
The threat landscape may sound intimidating, but just because threat actors are cunning, persistent and capable, that doesn’t mean there’s nothing that can be done. On the contrary, this constant battle between threat actors and security systems has been ongoing for decades – and shows no signs of ending. And fortunately, there are many ways you can protect yourself and your networks to proactively avoid vulnerabilities and ensure these threat actors don’t get the opportunities they need.
These include strict adherence to security best practices, especially the Zero Trust philosophy. However, it should be noted that Zero Trust isn't a novel, silver bullet solution; rather, it's a philosophy that rigorously applies the industry's proven best practices at the system level. The best practice approach should also include strict adherence to security principles, the strategic use of automation, a commitment to maintaining cloud hygiene, the thoughtful design of secure cloud architectures, investment in skills development, encouragement of industry standardization and active collaboration and information sharing with peers and authorities.
As our blog series progresses, we’ll be taking a closer look at some of these key areas and exploring the solutions, actions and preventative measures that can be taken to mitigate the risks and overcome the threats – so be sure to sign up and join us on this journey. Next time we delve deeper into the role of APIs and their implications in telecom network security – don’t miss out!
As we navigate the complexities of the digital age, one fact remains resolute: network security is an ongoing necessity, and it's a task that cannot be shouldered by a single person or organization alone. It calls for vigilance, innovation and collaboration with trusted experts to find, face and defeat the threats at hand. This collective commitment must unite all of us in the telecom industry and adjacent ecosystems to jointly secure our modern communication infrastructure.
Learn more
Read more about our 5G security blog series.
Learn more about securing 5G networks in our Ericsson Mobility Report article.
Find out more about telecom security for a connected world.
Listen as Mikko Karikytö, Ericsson Chief Product Security Officer, talks security and privacy in resilient 5G systems.
Like what you’re reading? Please sign up for email updates on your favorite topics.
Subscribe nowAt the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.