TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Hacker News (front page)

Bad Connection: Global telecom exploitation by covert surveillance actors

3 days ago · Read original ↗

ATT&CK techniques detected

38 predictions
T1071.001Web Protocols
91%
"collaboration with multiple industry firms including the signalling firewall provider cellusys, international signalling network provider telenor linx, telecom data intelligence provider roaming audit, and telecom network security firm p1 security. we validated our research by co…"
T1071.001Web Protocols
91%
"and operational details about an operator ’ s network, such as network codes, signalling address ranges and network assignments, interconnect details, and other information for managing international roaming services. attackers with knowledge of ir. 21 data can exploit it to iden…"
T1071.001Web Protocols
85%
"origin - host, origin - realm, and route - record attributes contained in the surveillance message headers. the identifiers in these fields record the hostnames and intermediate routing nodes involved in forwarding the messages. we then used ir. 21 documents, bgp routing data, an…"
T1090.003Multi-hop Proxy
84%
"##33, each relay that forwards a request appends its own identity to the route - record. the origin - host identifies the sending node and would not appear as a relay unless it were forwarding a message through itself. impact : this manipulation conceals the first hop in the netw…"
T1090.003Multi-hop Proxy
78%
"for location queries what is seen : because sta1 ’ s attempts to obtain the imsi of the target phone were blocked, they manipulated diameter and ss7 message parameters as workarounds. why it is abnormal : ss7 psi and diameter idr queries are keyed based on a phone imsi. using onl…"
T1071.001Web Protocols
74%
"network and penetrate the signalling firewall. attribution assessment attributing telecommunications surveillance is inherently challenging. the use of legitimate operator identifiers and signalling access through leasing arrangements or third parties provides operational conceal…"
T1090.003Multi-hop Proxy
74%
"while granting access to threat actors that hide behind their infrastructure. 019mobile ( israel ) 019mobile is a privately owned israeli - based mobile operator under the brand “ telzar 019. ” the gsma website shows they began providing mobile services in 2013, and are the “ sol…"
T1090.003Multi-hop Proxy
73%
"identifies the network belonging to the message. together, they form the diameter signalling identity and are crucial for the receiving operator to identify the message owner and must belong to the same network. cross - operator pairing violates gsma and 3gpp standards, indicatin…"
T1071.001Web Protocols
72%
"beacon. - sophisticated and customized tooling : both actors used customized surveillance tooling to spoof operator identities, manipulate signalling protocols, and steer traffic through specific interconnect network paths to evade defenses and mask attribution. - global network …"
T1111Multi-Factor Authentication Interception
62%
"##30091970 identifies the sms sender phone number configured by the attacker as belonging to airtel rwanda. - tp - protocol identifier ( tp - pid ) : 127 identifies the message for use by a sim card application. - tp - data coding scheme ( tp - dcs ) : 22 identifies the message a…"
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
62%
"##5651, assigned to fl1 liechtenstein. - the sms parameters are configured so that the user is not notified if the sms transmission fails, preventing detection of the attack. - the destination address of the exfiltration sms reveals the attacker - controlled network, as the attac…"
T1573.002Asymmetric Cryptography
59%
"services uses protocols consisting of a blend of ss7, known for older 3g networks, and diameter for 4g and most 5g networks. while ss7 has long been considered a legacy protocol, it still maintains a critical role for international roaming, sms, and emergency services. together, …"
T1090.002External Proxy
59%
"while granting access to threat actors that hide behind their infrastructure. 019mobile ( israel ) 019mobile is a privately owned israeli - based mobile operator under the brand “ telzar 019. ” the gsma website shows they began providing mobile services in 2013, and are the “ sol…"
T1071.001Web Protocols
57%
"using 2 different hostname formats to identify the type of commands used in the attack. - spoofed networks : diameter messages used network identifiers originating from poland ( plus ), switzerland ( sunrise ), morocco ( inwi ), lesotho ( econet ), namibia ( mtc ), and mozambique…"
T1557Adversary-in-the-Middle
57%
"bad connection : global telecom exploitation by covert surveillance actors bad connection uncovering global telecom exploitation by covert surveillance actors our investigation uncovers two sophisticated telecom surveillance campaigns and, for the first time, links real - world a…"
T1556.006Multi-Factor Authentication
56%
"##30091970 identifies the sms sender phone number configured by the attacker as belonging to airtel rwanda. - tp - protocol identifier ( tp - pid ) : 127 identifies the message for use by a sim card application. - tp - data coding scheme ( tp - dcs ) : 22 identifies the message a…"
T1557Adversary-in-the-Middle
54%
"##7 reconnaissance and location tracking attempts, escalated to a sim exploit, and ended with diameter location tracking queries. the messages in our analysis, detailed in the following attack sequence, were captured from firewall telemetry, flagged, and blocked by the signalling…"
T1111Multi-Factor Authentication Interception
53%
"at this time we do not attribute this campaign to a specific actor, the evidence shows a deliberate and well - funded operation with deep integration into the mobile signalling ecosystem. sta2 : the sim as the spy our second investigation, attributed to what we refer to as survei…"
T1556.006Multi-Factor Authentication
52%
"called the s @ t browser. the s @ t browser is a sim toolkit ( stk ) application that interprets s @ t bytecode and provides access to stk commands. stk applications are used by mobile operators for service provisioning, operator phone settings, and other value - added services. …"
T1090.002External Proxy
51%
"for location queries what is seen : because sta1 ’ s attempts to obtain the imsi of the target phone were blocked, they manipulated diameter and ss7 message parameters as workarounds. why it is abnormal : ss7 psi and diameter idr queries are keyed based on a phone imsi. using onl…"
T1071.001Web Protocols
50%
"telecommunication partners in the world. ” the citizen lab previously reported on telenabler ’ s global title leasing business model in the 2023 finding you report. in that report, we identified this same gt as a frequently detected source address used in location tracking operat…"
T1557Adversary-in-the-Middle
49%
"hss1 hostnames were used for air probing messages - hss hostnames were used for idr location query messages 3. fixed entry path through the jersey - airtel network all attacks used the same route - record host : dra1. je211. epc. mnc003. mcc234. 3gppnetwork. org. the repeated use…"
T1090.002External Proxy
48%
"tango networks uk – messages entered through tango - associated infrastructure and were routed through the bics ipx network. - direct access via 019mobile israel – surveillance traffic entered through 019mobile - linked nodes before reaching ipx providers. - spoofed operator iden…"
T1071.001Web Protocols
46%
"global signalling ecosystem can route surveillance traffic at scale. sta1 : a persistent location tracking campaign we identify the first threat actor in this investigation as sta1, a persistent and technically sophisticated telecom surveillance group engaged in long - running op…"
T1557.001Name Resolution Poisoning and SMB Relay
44%
"##7 reconnaissance and location tracking attempts, escalated to a sim exploit, and ended with diameter location tracking queries. the messages in our analysis, detailed in the following attack sequence, were captured from firewall telemetry, flagged, and blocked by the signalling…"
T1572Protocol Tunneling
44%
"was a clear tactic to find a trusted pathway through the firewall and into the target network, showing sta1 ’ s access to the global ss7 backbone via multiple operator gts. phase 3 : protocol switching to 4g / diameter ( 10 : 46 – 10 : 50 gmt ) after the ss7 attempts failed, sta1…"
T1090.002External Proxy
43%
"identifies the network belonging to the message. together, they form the diameter signalling identity and are crucial for the receiving operator to identify the message owner and must belong to the same network. cross - operator pairing violates gsma and 3gpp standards, indicatin…"
T1114Email Collection
43%
"##5651, assigned to fl1 liechtenstein. - the sms parameters are configured so that the user is not notified if the sms transmission fails, preventing detection of the attack. - the destination address of the exfiltration sms reveals the attacker - controlled network, as the attac…"
T1090.003Multi-hop Proxy
41%
"##5. 3gppnetwork. org ( 019mobile proxy 2 ) this pattern indicates that sta1 used 019mobile as a proxy to deliver location queries while concealing the origin of the c2 infrastructure. ipx traffic screening failure the syniverse ipx network allowed a signalling message with an ai…"
T1090.002External Proxy
38%
"##5. 3gppnetwork. org ( 019mobile proxy 2 ) this pattern indicates that sta1 used 019mobile as a proxy to deliver location queries while concealing the origin of the c2 infrastructure. ipx traffic screening failure the syniverse ipx network allowed a signalling message with an ai…"
T1090.003Multi-hop Proxy
38%
"bad connection : global telecom exploitation by covert surveillance actors bad connection uncovering global telecom exploitation by covert surveillance actors our investigation uncovers two sophisticated telecom surveillance campaigns and, for the first time, links real - world a…"
T1111Multi-Factor Authentication Interception
37%
"have no way to know they were received, as they are used by network operators to configure device network settings. two fields inside the sms header make this possible : tp - pid = 127 – “ this message is for the sim card, not the user. ” attackers use this to instruct the device…"
T1557Adversary-in-the-Middle
35%
"##30091970 identifies the sms sender phone number configured by the attacker as belonging to airtel rwanda. - tp - protocol identifier ( tp - pid ) : 127 identifies the message for use by a sim card application. - tp - data coding scheme ( tp - dcs ) : 22 identifies the message a…"
T1071.001Web Protocols
35%
"activity. 2. surveillance campaign pattern identification we analyzed traffic for repeated commands within short time intervals from individual operator signalling addresses, then identified coordinated activity across multiple operators matching that behaviour within the same ti…"
T1071.001Web Protocols
33%
"##ifiers session id values from both actors deviated from 3gpp diameter standards, using a format of origin - host ; timestamp ; local - id. however, each actor implemented the format differently : - actor 1 generated long, randomized, numeric tokens ( 37 – 39 digits ) resembling…"
T1071.001Web Protocols
33%
"services uses protocols consisting of a blend of ss7, known for older 3g networks, and diameter for 4g and most 5g networks. while ss7 has long been considered a legacy protocol, it still maintains a critical role for international roaming, sms, and emergency services. together, …"
T1048Exfiltration Over Alternative Protocol
31%
"##5651, assigned to fl1 liechtenstein. - the sms parameters are configured so that the user is not notified if the sms transmission fails, preventing detection of the attack. - the destination address of the exfiltration sms reveals the attacker - controlled network, as the attac…"
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
31%
"##5651, assigned to fl1 liechtenstein. - the sms parameters are configured so that the user is not notified if the sms transmission fails, preventing detection of the attack. - the destination address of the exfiltration sms reveals the attacker - controlled network, as the attac…"

Summary

Comments