Mark Warren, Product Specialist, Osirium
Telecommunications companies are increasingly being targeted by threat actors carrying out complex and sophisticated cyberattacks.
Recent events in Australia showcase the extent of the problem – between September and December 2022, three of the country’s leading telcos suffered a series of major breaches that made international headlines.
Optus was the first of these, having been subjected to a major data breach that saw as many as 10 million of its customers’ accounts exposed. Two weeks later in October 2022, Telstra was hit by a small data breach, the company having revealed that some information dating back to 2017 was exposed after one of its third–party suppliers was hacked.
Come December 2022, Telstra had suffered another incident in which an internal IT error caused a data leak that affected approximately 130,000 of its customers. And in the very same month, TPG Telecom Ltd became the latest Australian telco to fall victim, announcing that emails of up to 15,000 of its corporate customers had been accessed.
Of course, such incidents aren’t unique to Australia. In fact, recent reports suggest that six breaches occurring between 5 January and 1 February 2023 have resulted in the data of more than 74 million customers being leaked, with AT&T, T-Mobile, US Cellular and Verizon all targeted.
Unfortunately, the telecommunications sector globally has long been a high-value target for threat actors.
Research shows that the average communications organisation suffered as many as 1,380 attacks every week in 2022 – an increase of 27% compared with 2021. This makes telecommunications the fourth most targeted sector, behind education/research, government/military, and healthcare.
The theme here is concerning: that those sectors responsible for the success of critical national infrastructure are coming under fire more than any other sector.
Indeed, telecoms providers are typically responsible for the control and operation of critical national infrastructure (CNI) that countries and their inhabitants are heavily reliant upon, such as energy, information technology and transportation systems. Should they be attacked successfully, the effects can be both severe and extensive.
The threat against networks has only become more severe since the Russian invasion of Ukraine.
A report from the UK’s National Cyber Security Centre (NCSC) expresses that Russia was behind an operation targeting commercial communications company Viasat in Ukraine on 24 February last year, an attack which began approximately one hour before Russia launched its land invasion.
Further, the idea that the telecommunications sector has been a key battleground during the war is affirmed by a report published by the United Nations’ International Telecommunication Union (ITU), which states that Russia caused at least $1.79 billion worth of damage to Ukraine’s telecoms infrastructure.
What are the key cyber threats facing the telecommunications sector?
While Russia’s invasion has to an extent relied upon physical attacks on telecommunications networks, telcos across the world are faced with combatting a variety of sophisticated and growing attacks of the digital variety.
There is a breadth of risks that sector players are having to manage and mitigate at present, including insider threats, the incident impacting Telstra in December in which 130,000 customer records were accidentally leaked being a prime example. Critically, these can either be unintentional in which users are aware of the potential risks associated with their actions, or maliciously carried out by someone within an organisation.
Equally, supply chain attacks are becoming an increasing threat, as was proven by the Telstra breach in September 2022 where company data was exposed after an external supplier was hacked. Indeed, the telecom sector is highly connected, typically dealing with external web hosting providers, data management service providers and a variety of other external partners. This can become an issue if any one of these vendors have a weak security posture – it just takes one weak link in the supply chain to cause severe damage.
That said, there are many other potential vulnerabilities which can be exploited.
Where uninterrupted service is paramount in the telecommunications sector, DDoS attacks are often used in an effort to disrupt and shutdown provider operations, impacting millions of customers and leading to financial losses. Further, DNS attacks are also common – research in fact shows that in 2019, prior to the pandemic, 83% of telecom firms had experienced a DNS attack.
Critically, many of the world’s most malicious cybercriminal outfits have also made telecommunications their primary market of attack.
Threat group LAPUS$ – renowned for carrying out data breaches and then demanding ransom payments – repeatedly attacked T-Mobile until as recently as March 2022, for example. Further, LightBasin – a hacker group that has been active since 2016 – has attacked 13 global telecom companies previously, looking to gain access to subscriber information and call metadata in each instance.
Effective privileged access management is a vital part of TSA compliance
In an effort to enhance the security and reliance of industry players and infrastructure and prevent telecommunications firms from falling victim to the frequent and varied attack methods used by threat actors, the UK government introduced the Telecommunications (Security) Act 2021 (TSA), this coming into force on 1 October 2022.
The original proposal reads: “The increased reliance of our economy, society and critical national infrastructure (CNI) on telecoms infrastructure means we need to have confidence in its security. Without that confidence, the disruptive impact of successful cyber attacks by threat actors will continue to grow and the consequences of connectivity compromises or outages could be catastrophic.”
Enforced by the Office of Communications (Ofcom), TSA enables the government to implement key regulations and best practice recommendations. If UK telecommunications firms fail to comply with these regulations, they can face penalties amounting to as much as 10% of turnover, or £100,000 per day.
Having been developed with the guidance of the National Cyber Security Centre (NCSC), the regulations state that telcos must be capable of identifying any potential risks of security compromises and take measures to reduce these risks, while also consistently reviewing existing processes to prepare for any evolving threats.
Within the more detailed list of requirements, TSA highlights the management of privileged access to services and devices that are components of CNI as being of critical importance to compliance.
We’ve all encountered privileged access, this typically coming in the form of powerful administrator accounts that are responsible for managing critical systems, services, applications and devices.
These accounts serve a key operational purpose, responsible for managing critical systems, services, applications and devices and providing users with the necessary rights and privileges to access specific resources that are vital to their ability to complete work-related tasks.
The security concern, however, stems from the fact that these administrator accounts are able to make significant changes to systems. Not only can they control the ability of staff, external partners and even customers to complete their work effectively, but they can also access and alter sensitive data such as valuable intellectual property or personally identifiable information (PII).
This makes administrator accounts an incredibly enticing target for threat actors. They are the keys to the IT kingdom of any organisation, and in the hands of a nefarious actor can be used to change permissions, create backdoor accounts, or tweak and delete business-critical data.
If a threat actor gained access to a telecommunications provider’s most sensitive management systems, they could deny access to legitimate users of such systems or limit services provided to end users, causing serious disruption to our lives, and worse.
Specifically, the NCSC has highlighted four potential negative consequences of attacks on telecommunications networks:
- Disruption of networks: impacting the operation of services or equipment within the UK’s telecoms networks.
- Network espionage: the malicious acquisition, modification or use of data within the UK’s telecoms networks.
- Network pre-positioning: attackers gaining administrative access or presence within the UK’s telecoms networks to enable future exploitations.
- National-scale supplier dependence: dependence on an external service for the effective operation of the UK’s telecoms services.
Three solutions to improve privileged access management for telcos:
Fortunately, this is by no means a lost cause.
Indeed, there are several solutions that telecommunications providers can leverage in order to mitigate the use and abuse of privileged accounts. Here, we outline three that organisations looking to address this key vulnerability should consider:
- Privileged Access Management (PAM)
First, Privileged Access Management (PAM) can play a key role as a defence mechanism for critical back-end systems and databases. It goes beyond Identity Access Management (IAM) which focuses on proving the identity of the user by adding in additional policies to determine which systems each user can access, and with what privilege level. With PAM, the aim is to make sure that any individual accessing a system has the lowest level of privilege they need to still complete their job effectively. In this sense, it is a vital component of successful zero-trust models, providing an effective means of upholding the principle of least privilege.
- Privileged Process Automation (PPA)
Of course, manually creating users and managing privileges can be a time-consuming process in organisations with high headcounts, which is typically the case with telecommunications firms. If access control teams are left to manage these extensive workloads without technological support, mistakes can be made which may result in either too much access being provisioned to the wrong group, or not enough access being provisioned to ensure that employees can do their work effectively. To reduce this burden and cut down on errors, Privileged Process Automation (PPA) can be used – a secure and flexible framework for automating the management of access rights. PPA can be connected with central HR systems, for example, so that when a new starter is added, the necessary user accounts and appropriate access rights are provisioned automatically.
- Privileged Endpoint Management (PEM)
While reducing the number of administrator accounts is incredibly important in limiting a firm’s exposure to threats, certain user groups will still require privileged access to undertake critical work-related tasks. In organisations where administrator rights have been removed from all endpoints, IT teams can face an overwhelming number of requests to make configuration changes such as the installation of software that a user requires to complete their work. Here, Privileged Endpoint Management (PEM) can be leveraged to allow organisations to remove administrator rights from users while also escalating privileges for specific processes where necessary. Policies enable IT to fine-tune exactly which applications to either allow or deny privileged execution for specific AD users and groups, ensuring only verified applications are used and a full audit trail of escalations is maintained.
Reap the rewards of proactive compliance
By leveraging the right combination of expertise and technologies, enterprises can become empowered to mitigate against those threats stemming from privileged access accounts, without placing unmanageable burdens on access control teams.
Not only can organisations ensure all users are provided with just the right level of access and permissions needed to complete work-related tasks (PAM), but they can also reduce burdens on access control teams, while eliminating errors by automating repetitive tasks, such as updating permissions for company leavers and new starters (PPA), and remove historically enabled local admin rights using without exacerbating helpdesk requests (PEM).
With TSA, telecommunications firms need to ensure that those critical functions required to ensure that networks and services are operated effectively, with data properly secured, are in place before March 2024. By embracing such solutions, they will be taking a significant step in swiftly and effectively getting ahead of this compliance deadline.
Moving forward, it is also likely that TSA will continue to evolve as the UK government seeks to ensure that telcos adapt their security best practices in response to changing threats. Some experts feel that future iterations may see requirements for programmatic updates to network infrastructure, for example.
By working alongside external parties capable of provisioning vital security technologies, such as those focused on privileged access management, telcos will secure peace of mind that they will be well placed to navigate any future changes.
