Leveraging mobile networks to threaten national security

In this interview with Help Net Security, Rowland Corr, Director of National Security Intelligence at AdaptiveMobile Security, explains how mobile networks can be leveraged as part of a cyber warfare strategy, why is this a growing national concern, and how to implement defences against such sophisticated attacks.

Could you explain the concept of hybrid warfare? How can it threaten national security?

The concept of hybrid warfare has been defined, applied, and critiqued in quite different ways since it acquired prominence in the late 2000s. While there is no single universally accepted definition of hybrid warfare or its corollary concept of hybrid threats, there is substantial consensus particularly in Europe that the qualifier ‘hybrid’ refers, broadly speaking, to a characteristic combination of actions across multiple domains (informational, political, economic, infrastructural, and cyber, among others), the purpose of which is the targeted attrition, subversion, or negation otherwise of the functioning of a state by another towards political ends.

Since even the purpose of conventional warfare is ultimately political (to paraphrase Clausewitz), hybrid threats and hybrid warfare can be understood to comprise a spectrum of violence with overtly destructive or directly coercive actions at one end, and more covertly executed measures, often more diffuse in effect, at the other. As this would imply, hybrid warfare and hybrid threats are strongly associated with the strategic exploitation by threat actors of systemic and structural vulnerabilities of states targeted as collective as well as individual actors.

Of course, wherever overt military warfare is involved, a threat to national security is self-evident being then a matter of national defence in the largest sense. Where there is no overt military component involved however, the strategic threat presented to a targeted country by hybrid threat activity is not nearly so apparent. Indeed, the relative inapparency of attack goes to the heart of what makes non-military hybrid action so dangerous. This is why hybrid warfare is often described as being waged ‘below’ the formal (or traditional) threshold of war where threats can be difficult to detect, ambiguous even where they are detected, and often deniable either way, but are always damaging to the interests of states so targeted.

The potential for effects to be aggregated across the spectrum of violence means that a national security threat may be presented even where overt military measures are not implicated – especially where such actions go not so much undetected as unrecognised and therefore un-responded to over time.

As mobile networks have reached practically every corner of the earth, they have also become a critical national infrastructure. How can they be leveraged to execute cyber attacks?

In essence, threat actors are able to leverage mobile network infrastructure for attacks by exploiting trust at a systemic level. Once threat actors have access to mobile telecoms environments, the threat landscape is such that several orders of magnitude of leverage are possible in the execution of cyberattacks. An ability to variously infiltrate, manipulate and emulate the operations of communications service providers and trusted brands – abusing the trust of countless people using their services every day – derives of threat actors’ capability to weaponize ‘trust’ built into the design itself of protocols, systems, and processes exchanging traffic between service providers globally.

The primary point of leverage derives of the sustained capacity of threat actors over time to acquire data of targeting value including personally identifiable information for public and private citizens alike. While such information can be gained through cyberattacks directed to that end on the data-rich network environments of mobile operators themselves, the incidence of data breaches of major data holders across industries today is such that it is increasingly possible to simply purchase massive amounts of such data from other threat actors (such as lone hackers for example who often seek simply to monetise their own intrusions).

Where such breaches expose billing information, for example, including names, addresses, phone numbers, and IMSIs, among other identifiers, threat actors are able to acquire as many complete sets of targeting information as there are customers impacted by such a breach, which can run into millions. Further potential to leverage such data is provided through access to wider network-related information enabling the weaponization of traffic such as certain numbering ranges and other characteristics associated with specific operators.

The second point or order of magnitude of leverage lies in threat actors’ ability to associate identifiers for individual devices with specific identities of persons of strategic targeting interest. Compromise can also be leveraged at a higher level still whereby surveillance executed on an ongoing basis, whether using spyware (discovered in 2019 to be deliverable as a payload via zero-click SMS-based exploit), or repeated signalling-enabled attacks, can be used to tailor wider attack strategies for targeting institutional networks and activities associated with any individual target in question.

Since it is the structural vulnerability to exposure of data and manipulation that renders mobile networks weaponizable infrastructure in the first place, trust can be said to constitute the fundamental leverageable mechanism of attack.

What types of cyber warfare attacks on mobile networks can a nation expect to face?

Although there is as yet no universally accepted definition of cyberwarfare, it is generally understood that it constitutes cyberattacks carried out against a country by another often as part of a campaign waged expressly to harm the state in question. Depending on a threat actors’ objectives, access, and overall threat capabilities, a range of attacks consistent with cyberwarfare can be executed on states by weaponizing globally-dispersed mobile network infrastructure as well as network environments within targeted states.

Where threat actors are able to sustain an ability to subvert the functioning of targeted mobile network infrastructure over time, they also sustain thereby a capability to escalate compromise to destructive effect through a signalling-based Denial Of Service (DoS) attack against a significant portion of a targeted network. SS7 or diameter-based signalling traffic can be weaponized to induce DoS by subverting node operations variously through: interrupting communications between functions, causing devices to simply detach from the network, or overwhelming key network elements for example.

Other attacks involve data exfiltration, which may be alternately focused on retrieving information about the targeted network itself (ascertaining for example the level of defences in place and concomitant likelihood of detection) and on extracting information about individual, representative, or collective targets. In the latter case, the generation of intelligence from targeting specific individuals potentially also implicates the acquisition of further targets for cyberattacks.

The use of SMS-enabled attacks is a prime example of a generations-old protocol that continues to provide ever greater utility in such a context for cyber threat actors today with the growth in integrated SMS A2P services, more optimised attack methods through better social engineering, as well as continuous innovations in weaponizing the SMS protocol itself. A research has shown how this attack utility will only increase as SMS continues to be supported over 5G, and as its manifold use cases continue to evolve.

SMS-related exploits feature in the cyber ‘kill-chains’ of myriad attack campaigns globally ranging from spam and smishing attacks by criminal actors directing unsuspecting subscribers to fake websites for example (for identity theft and stealing bank account information), to more complex attacks by state-level threat actors involving the exfiltration from networks of identifying information for targeting key individuals.

In the latter case, this can also involve more sophisticated attacks such as the Simjacker exploit – a zero-click SMS-based exploit enabling the delivery of spyware to invisibly execute commands on the SIM card of targeted devices without any sign of compromise observable to the user. At a more basic level, SMS is still used today by threat actors in what could be classed as psychological warfare where the meaning of the message is the ‘payload’. Psychological attacks are historically intertwined with electronic warfare (EW) which can itself be integral to hybrid warfare today. SMS represents but one of numerous protocols that can be exploited in such ways by threat actors for cyberwarfare as part, for example, of a hybrid warfare campaign.

What should nations particularly be worried about when it comes to mobile network-enabled attacks in hybrid warfare?

First and foremost, nations should recognise that the persistent exposure by inadequately-protected networks of citizens’ personally identifiable information to compromise presents the primary driver of vulnerability of societies, economies, and states alike to mobile network-enabled attack.

With respect to hybrid warfare, nations must recognise that even if an overt military component is not implicated, the potential threat presented by mobile-network enabled threat activity is not merely an expression of the sum total of data exfiltrated, for example, but greatly exceeds any such measure in nominal terms. This is because such attacks are almost certainly not conducted in isolation but executed in parallel with wider targeting activities directed not just against those same individual(s) but also their associated human, organizational, and technical networks of strategic interest to the threat actor.

Where nations face the threat of overt military attack, mobile telecom networks can potentially be used by an attacker to further amplify advantage in offensive military operations as a force multiplier by enhancing real-time targeting capabilities.

The type of telecommunications-based attack that offers readily realisable potential for use in this respect is a targeted DoS attack executable remotely via signalling protocols on targeted mobile networks. With certain conditions met, such an attack might be used as unconventional analogue and battlefield counterpart to the conventional EW technique of military communications jamming, among other capabilities.

Where the requisite access to the electromagnetic spectrum in the battlespace is afforded to the attacker and connectivity to civilian mobile networks is sustained by targeted forces, the latter’s military personnel might be expected to react to the execution either of:

• Denial of Service attacks on civilian mobile core network nodes, or
• the jamming of military comms by EW systems (in combination with other EW capabilities)

By reverting to the available alternate method of communications in a characteristic way in the moments immediately post-attack in either instance.

An SS7-based Denial of Service attack executed to disrupt targeted personnel’s access to the civilian mobile network in a specific region might be expected to prompt observable and capturable bursts of military transmissions in response to the attack as units seek to report the event in an effort to maintain and maximise situational awareness within the battle space.

In conjunction with the use of military radio frequency (RF) direction finding equipment by an attacker, this could enable identification of targeting selectors that may be associated with specific military units and potentially even correlated with individual members of same. In this way, mobile network-enabled attack can be integrated into military targeting to produce an enhanced ‘hybrid kill-chain’.

What can be done to thwart these types of attacks?

To respond to this threat, we do not need to be forward looking so much as we need to recognise our current trajectory. Threat actors would be far less able to execute such attacks if mobile networks were better protected in the first place against intrusions not to mention the repeated data breaches from their networks that continue to expose troves of personally identifiable information on an ongoing basis. This is all the more important since it is often the association of aggregated identifying information (linking a particular device with a person of interest and establishing their location) that proves critical to enabling state-level cyber targeting and indeed cyberwarfare.

Even in the case of the most sophisticated cyber weaponry and zero-click exploits used by state-level actors, attacks might be defended against upstream as it were – where the targeting information is being gained in the first place by securing the interconnectivity itself between operators and nations on a zero-trust basis.

To this end, mobile network signalling attacks must first be recognised as a state-level cyber threat to individual nations as well as to collective security, and an integral component of hybrid warfare. While all computer networks are valuable and important, mobile networks form part of the Critical National Infrastructure of a state, and an attack on them should be recognised accordingly.

At the same time, mobile operators alone should not be wholly responsible for organizing, evaluating, and ensuring that adequate defences are put in place. State-level attacks will involve all mobile operators in a country, not just one, but a lack of visibility or immediate sharing of detected attacks will greatly compromise the state’s ability to know and react to attacks. Also, these attackers have resources and skills which each mobile operator in the country may not have the ability to detect and counter.

As a result, there will need to be intelligence and operational security sharing and direction at a state-level. To start implementing defences, mobile networks in a country should implement the GSMA signalling security recommendations FS.11 for SS7, FS.19 for Diameter, and FS.20 for GTP-C. This is a starting point for mobile network signalling defences, however it is only a starting point and should not be relied upon as well-resourced attackers will find a way around any static defence, as shown in the Simjacker attacks. Also, in general, mobile operators in a country should analyse, either internally or externally, all detected unusual signalling behaviour.

This is crucial for determining and understand attackers’ attempts to bypass defences and can help to predict their future movements. Due to the volumes of unusual events (potentially several tens of thousands per day in a typical large network) that could be mistaken for malicious events, this will require advanced analysis by threat intelligence experts, combined with confirmed threat information from other sources. One way for mobile operators to do this effectively is via a managed network threat intelligence service.

Machine learning, while useful to find initial suspicious activity, is of little value in interpreting what is truly malicious or not in these complex networks. This will help to ensure that a nation’s approach to cybersecurity evolves even as the threats themselves do, rather than simply acknowledging that cyber threats are evolving while passively waiting for the next zero-day revelation.