How attackers weaponize communications networks

In this Help Net Security interview, Gregory Richardson, Vice President, Advisory CISO Worldwide, at BlackBerry, talks about the growing risks to communications networks. He explains why attackers focus on these networks and how their motivations range from corporate espionage to geopolitical influence. The discussion also covers practical ways to secure networks and maintain reliable communication.

Which types of communications networks are most attractive to attackers, and what are the primary motivations driving these attacks, such as geopolitical influence, corporate espionage, or financial gain?

The most attractive targets for advanced threat actors are not endpoint devices or individual servers, but the foundational communications networks that connect everything. This includes telecommunications providers, ISPs, and the routing infrastructure that forms the internet’s backbone. These networks are a “target-rich environment” because compromising a single point of entry can grant access to a vast amount of data from a multitude of downstream targets.

The primary motivation is overwhelmingly geopolitical. We’re seeing a trend of nation-state actors, such as those behind the Salt Typhoon campaign, moving beyond corporate espionage to a more strategic, long-term intelligence-gathering mission. Their goal is to build comprehensive profiles on individuals and organizations. By compromising telecom networks, they gain the ability to monitor and collect vast amounts of data, including subscriber records, call data, and even network diagrams, that can be used for a variety of nefarious purposes. This data isn’t just used for a single purpose, it’s a dynamic asset that can be used for years to come.

While the core motivation is often strategic espionage, this data can also be sold or used by other criminal groups for financial gain. For instance, the same metadata used to track a military official’s movements could be sold on the black market to a criminal enterprise that wants to carry out a targeted extortion scheme. The threat model has shifted from a one-off breach to a perpetual state of surveillance, where the data is constantly being collected and weaponized.

Can you share any insights into how threat actors are leveraging lawful intercept systems or internal network monitoring tools for espionage?

This is one of the most concerning and sophisticated aspects of these attacks, and it speaks to a fundamental shift in adversary tactics. Instead of bringing their own malicious tools into a network, threat actors are increasingly opting for a stealthier approach: living off the land. They don’t need to reinvent the wheel when a network’s own tools can be weaponized against it.

In the Salt Typhoon campaign, we’ve seen evidence of attackers co-opting and abusing a network’s native capabilities. This includes using built-in packet capture (PCAP) tools on network devices to collect sensitive authentication traffic. By passively monitoring this traffic, they can steal credentials from protocols like TACACS+ and RADIUS, which are used to manage a network. Once they have these administrator credentials, they have carte blanche to move laterally across the network and access other devices.

Perhaps most alarming is the exploitation of lawful intercept systems. These are legal wiretapping systems that governments use to monitor communications with proper authorization. Threat actors are compromising these systems to gain access to highly sensitive communications, including the content of calls and messages, on a massive scale. This goes far beyond simple metadata and demonstrates a bold, “go for the source” strategy. Organizations must treat every component of their network, including highly privileged systems, as a potential target.

Have there been any recent incidents or trends that stand out as warning signs for the industry?

Two recent trends are particularly telling and serve as major warning signs. The first is the sheer scale and persistence of these attacks. The Salt Typhoon campaign, for example, has been ongoing for at least six years, remaining hidden until recently. This isn’t about a single vulnerability, it’s about a long-term, burrowing effort that suggests attackers have a significant foothold in critical infrastructure. The recent FBI finding that the campaign affected at least 200 U.S. companies and over 80 countries underscores that this is a global issue, not just a regional one.

The second trend is the fusion of technical exploits with AI-powered social engineering. We saw this recently with a public security alert from a major tech company. Attackers used stolen metadata from a third-party breach to craft incredibly convincing phishing and vishing (voice phishing) attacks. They impersonated IT support staff and leveraged stolen information to manipulate employees into handing over their credentials. This new approach, where stolen data is used to create AI-generated deepfakes and cloned voices, is a game-changer.

We are already seeing the mainstream impact of this technology in AI-powered marketing. Marketing teams use similar AI capabilities, combining data analysis at scale with generative AI to create highly tailored content and personalized campaigns. The same technology used for advertising is now being used for cyberattacks. It means the threat has moved beyond the network perimeter and is now targeting human psychology, making it incredibly difficult to defend against with technical measures alone.

How do international policies and regulations impact the way we secure communications networks against espionage?

International policies and regulations have a significant impact on communications security, but they often lag behind the pace of technological change and evolving threats. The recent Australian government moves to ban deepfakes and restrict the use of certain applications on government devices are a good example. While these policies are well-intentioned, they are a reactive response to a problem that has already taken root.

A key challenge is the lack of a standardized global approach. Differing regulations around data retention, privacy, and incident reporting can create a patchwork of security requirements that threat actors can easily exploit. For a global espionage campaign, a weak link in one country’s regulatory framework can compromise an entire international communications chain.

The goal of international policy should be to establish a baseline of security that includes mandatory incident reporting, a unified approach to patching known vulnerabilities, and a focus on building a collective defense. When one nation’s communications infrastructure is compromised, it can directly impact the security of its allies, calling for a cohesive, proactive regulatory framework.

What key steps should CISOs and telecom security leaders take to build resilience against future threats?

Building resilience requires a fundamental shift in mindset from perimeter defense to assuming compromise. Security leaders should operate under the assumption that some part of their network may already be compromised. This leads to a multi-layered defense strategy focused on control and visibility.

1. Prioritize application-layer security: While network hardening is critical, security leaders must invest in end-to-end encrypted communications at the application layer. This is the last line of defense. Even if a network device is compromised, E2EE ensures that the data itself remains unreadable. This is a crucial step towards giving organizations and their employees more control over their data, and it’s particularly important for mobile devices that are often on untrusted networks.

2. Focus on credential hygiene: The attackers are specifically targeting credentials. Security leaders must move beyond simple passwords and implement a zero-trust model. This includes deploying MFA and adopting passwordless authentication technologies like passkeys, which are resistant to phishing and other social engineering attacks.

3. Harden the network core: Many of these attacks succeed by exploiting unpatched, publicly known vulnerabilities on network devices. CISOs need to establish a rigorous patching and vulnerability management process for all core routing and infrastructure equipment. They should also disable all unused ports and services, as these often serve as an entry point for attackers looking to hide their activities.

4. Invest in human firewall training: Technical solutions alone are not enough. Security leaders must train their employees to recognize and report sophisticated social engineering tactics. Employees are often the first line of defense, and training them to identify AI-generated deepfakes, phishing emails, and vishing calls is critical to stopping these attacks before they can gain a foothold.

By taking these steps, security leaders can build a more resilient infrastructure that protects communications and data from a range of threats.