Securing 5G networks in an evolving threat landscape

The evolving 5G threat landscape

With the introduction of 5G and billions of new devices, the threat landscape in which telecom networks operate is evolving significantly. Networks provide vital infrastructure for business-, mission- and society-critical applications, and as a result, threat actors are motivated to constantly evolve to seek out weaknesses.

Safeguarding 5G networks

As the value and volume of personal, business sensitive and public service information increases with continued digitization, security and privacy laws and regulations have been expanding. This is a reaction to decreasing risk tolerance and the deteriorating cyber security environment.

Regulators know the importance of 5G and see safeguarding these networks as vital. The threat landscape for 5G is more complex than with previous generations due to the convergence with traditional IT, enabling IT threat actors to attack telecom networks in a similar way. In addition, networks often have new functionalities, such as network slicing for service separation and isolation, along with an increased use of AI/ML for automation. While AI is widely explored for its potential in addressing security concerns in networks, it is also important to consider the security and transparency of AI. Edge computing places cloud resources closer to the access, bringing new challenges whilst enabling mission-critical, low-latency applications.

Attacks on telecom networks are rising

Threat actors are increasingly skilled and pervasive, and attacks are becoming more frequent. Research from CrowdStrike, a US cyber security company, shows which industry verticals are most frequently impacted by targeted intrusions.¹ The data showed that, between July 2020 and June 2021, the telecom industry was the most targeted, attracting 40 percent of attacks compared to 10 percent for the next-highest industry vertical. It should be noted that the data does not distinguish between the telecom enterprise and the telecom network intrusions for the industry.

Threat actors: The motives, opportunities and capabilities

The well-known motivation, opportunity and capability model is a useful way of examining threat actor behavior. A threat actor must have all these factors to pose a risk.

Let’s look at a real example: Last year, a threat activity cluster named LightBasin was publicly identified, having undertaken targeted intrusions towards service providers since at least 2016. The group has gained attention due to its presence being detected by multiple service providers, although their origin is still unconfirmed.

What motivates threat actors?

The main motivations to target telecom networks are surveillance/espionage, financial gain and disruption/sabotage.

In recent years, the most common type of attack in the cybersecurity landscape has been the deployment of financial gain ransomware. To achieve bigger payoffs, ransomware operators have shifted their targeting to high-profile organizations in industries such as manufacturing. Threat actors know this industry sector has a low tolerance towards downtime and is more inclined to pay out as a result. With increased use of 5G within different industry verticals’ networks, the motivation to attack 5G networks should be looked at from the perspective of the related industry sector.

Personal data is also always of high interest. One objective of espionage is to obtain call metadata, especially call detail records (CDRs). This means customer billing and customer care systems are primary targets. LightBasin was observed targeting business support systems to obtain CDRs.

Disruption is the least typical of these motivations for targeting telecom networks. These attacks often have their roots in ideology, driven by personal, group or nation-state agendas. During the first quarter of 2022, a number of these attacks occurred on European networks, including targeted attacks to prevent local gamers from participating in a tournament and network-wide disruptive cyberattacks, putting critical services at risk.

Due to a shift in the tactics used by cybercrime and nation-state threat actors, and the increasing use of common IT platforms in telecoms, the likelihood of attacks has increased.

The opportunities for threat actors

New features within 5G networks bring many advantages, enabling new use cases. However, the technical complexities can create new opportunities for threat actors.

The ongoing transformation to cloud native introduces new concepts, new deployment methods and more complex partnership structures. With this trend, deployments are becoming more complex. This requires new types of competence and skill sets, from both vendors and service providers. Consequently, the risk for misconfigurations, which expose weaknesses, is increased. Vulnerabilities in virtualization, cloud services, or network slicing can have a considerable impact, as they may enable access to unauthorized resources.

5G will connect billions of devices, and not all these devices have sufficient security protection. Devices used for Industrial IoT are often optimized for a specific task, with design driven by cost efficiency. Vulnerabilities in these devices can be used to target the 5G network, or the industry vertical. This requires protection of devices to be provided from the network side. In general, any exposed interface provides an initial entry point for a threat actor. LightBasin accessed target networks via incorrectly exposed interfaces on the GPRS roaming exchange (GRX), a closed inter-service provider network.

Threat actors are increasingly using valid credentials for accessing targets. In addition to the traditional social engineering techniques for obtaining human identities, threat actors are looking for weaknesses presented by the surge of machine identities that are needed in cloud-native deployments. Strong multi-factor authentication, with management and monitoring of privileged accounts, is essential to prevent and detect account misuse. It will also limit the impact of credential theft and the exploitation of vulnerabilities.

What are the capabilities of threat actors?

Threat actors have shown the capability to build targeted and context-specific malware. Nation state threat actors routinely exhibit good operational security and use various defense evasion techniques to hide their activities, making it possible for them to move laterally in the target organization before being noticed. For instance, LightBasin carefully deleted traces in log files after their activities.

Threat actors try to blend their communication into normal traffic and use legitimate protocols, such as ICMP and HTTP. In addition to these, LightBasin used telecom-specific protocols to bypass firewalls and stay under the radar.

As the industry moves away from proprietary protocols and dedicated infrastructure, intrusion of telecom networks does not necessarily depend on extensive knowledge of these networks and their protocols. Threat actors targeting telecommunications networks will increasingly resort to routine vulnerability exploitation, supported by public availability of exploit code.

Even though 5G interconnects are more secure, older network generations will be used for several years, and attacks via interconnected interfaces will continue and will be more complex and difficult to detect as threat actors increasingly focus on defense evasion.

Trust in mobile networks is paramount

Trust in mobile networks, especially 5G, is the foundation for digitalization. To enhance trust, the GSMA Network Equipment Security Assurance Scheme (NESAS), jointly defined by 3GPP and GSMA, provides an industry-wide security assurance framework to facilitate improvements in security levels. NESAS defines security requirements and an assessment framework for secure product development and product lifecycle processes, and uses 3GPP-defined security test cases for the security evaluation of network equipment. NESAS is intended to be used alongside other mechanisms to ensure a network is secure and, in particular, to ensure an appropriate set of security policies covering the entire lifecycle of a network is in place.

3GPP standardization made major improvements in terms of security and privacy compared to 4G. 5G has been designed with new functionality that is intended to make it more resilient towards various existing frauds, subscriber privacy and eavesdropping issues, than earlier generations.

For instance, the industry is putting considerable effort into protecting the interconnect networks between the service providers, encrypting, and otherwise hiding subscriber identifiers, and preventing the modification of the user data sent between user equipment and radio base stations. 5G also provides a standardized and well-defined way to deploy zero-trust functions like authentication and authorization of API usage, and protected communication between and to the 5G network functions.

It’s time for the active defense of telecom networks

With networks being used in new contexts, connecting a greater variety of mission-critical processes, it is no longer enough to rely solely on standardized and regulatory-based security controls. Now the active defense of telecom networks is also required.

The entire industry is currently accelerating the journey from passive defense to active defense strategies. The embedded security inside network products is critical but still not enough. The telecom networks of today are built to evolve, and security must do the same.

Securing 5G networks

Telecom networks’ availability and performance are more valuable than ever, which makes them attractive targets for malicious actors. Powerful security monitoring and automation, identity management, effective incident response handling and solid business continuity planning are critical to securing networks. Building a secure 5G network requires a holistic approach, rather than a focus on individual technical parts in isolation, to protect end users. Network operations is one of four key layers enabling the holistic approach, alongside standards, product development processes and network deployments.

¹ CrowdStrike, “Threat Hunting Report”, (2021).