What the cell...? Telcos around the world were so severely pwned, they didn't notice the hackers setting up VPN points Hackers infiltrated the networks of at least ten cellular telcos around the world, and remained hidden for years, as part of a long-running tightly targeted surveillance operation, The Register has learned. This espionage campaign is still ongoing, it is claimed. Cyber-spy hunters at US security firm Cybereason told El Reg on …
Speaking of Yanks, I heard, and you're not going to believe this, that someone had succeeded in setting up something called FaceFriend where people voluntarily gave all their personal details, location, links to others, messages etc.
Of course they pretended that it was somehow secure and only good people would access it but it seemed a lot easier than going to the hassle of actually hacking something.
Actually, the US knew that there were weapons of mass destruction because they had sold them to Iraq and had copies of the receipts. What they didn't know is that Sadam had already used them or otherwise disposed of them before the war. The only thing the US found after invading was one nerve agent artillery shell in an armory that was probably missed when Sadam did the purge, which while it qualifies as a WMD it certainly wasn't what was claimed.
Agree there was no active CBW factory around; looks like the UN did take care of business after Gulf I. But there was a hell of a lot more than one sarin shell going walkabout. See:
https://www.nytimes.com/interactive/2014/10/14/world/middleeast/us-casualties-of-iraq-chemical-weapons.html
Frequently it seems IED makers would grab whatever they could scrounge from an ammo dump or on sale at the souk and make some bang out of it ... Sometimes not realizing that they were playing with a mustard shell instead of HE. Kind of an accidental CW attack.
Hundreds of servicemen exposed. Good luck trying to get long-term treatment through the Veterans' Administration...
So I guess you didn't read the Chilcot report, eh?
What happened here I think is a case of looking for signal in the noise so hard, you can see anything you want to see. Washington and London were both hooked into the same bullshit feed ... from the same sources ... and asked each other for confirmation. And got it. Intelligence sharing is only a good idea if you've actually got something unique.
Proud veteran of Operation Enduring Cluster Fuck...
Wasn't it our very own Blair who pushed the WMD narative?
Fair enough, the Americans were quick to accept such information without due dilligence, but it was more our screw up than theirs.
Or at the very least, that's one offensive war we can't claim any moral highground on.
Huawei might be the equipment vendor for the network, but the detail being sought is not likely on their kit but instead on central servers running billing and geopresence software which is unlikely to be Huawei. The network infrastructure had the ability to trace an individual (or more) IMSI, but that will in itself leave traces (assuming it's done by accessing the legal intercept interface), but this set of attacks send more against the customer account data, which is held elsewhere.
Antiquated equipment is probably right. One of the hazards of being an "early adopter" is finding your self on the trailing edge of the wave as time passes. Also "not looking" is a good bet. US telcos often take a very negative approach to being told their network has problems, like having the messenger jailed.
Nonsense. Now that they know, they will be preparing against. How they will prepare I have no idea, but the first step is rather obvious : control all VPN connections and make sure they're all legit. Then, I'm guessing, go and forbid VPN connections on all computers that shouldn't have it, for example with a firewall or something.
And using the David vs Goliath reference is rather poor form - David won, and David is supposed to be the telcos.
What's to say it'll actually look like a VPN? I'm just a sysadmin who in his spare time wrote something that works fairly reliably over the Great Wall of China so dedicated hackers would likely be able to create a protocol that could look like anything they want it to look like.
control all VPN connections and make sure they're all legit.
There are multiple ways to set up covert channels for export and for command and control. I would indeed close the door on any unknown protocol, but you can also piggyback on a known port/service.
By the way, I presume this could become a way harder problem to solve with IPv6 with its support for extensible headers.
"Cyber-spy hunters at US security firm Cybereason told El Reg on Monday the miscreants responsible for the intrusions were, judging from their malware and skills, either part of the infamous Beijing-backed hacking crew dubbed APT10 – or someone operating just like them, perhaps deliberately so".
I can't help wondering what a Chinese or Russian security firm might have said, had anyone asked them.
"I can't help wondering what a Chinese or Russian security firm might have said, had anyone asked them."
Or someone in a smaller, more neutral country who found such stuff on its network.
And for the person who asked about countries spying on their own: Yes - all the damned time - but unlike the opposition they can rock up to the Telco with a secret interception order and tell them to "do this now and if you tell anyone, you're going to jail" (It's been 30+ years since this happened to me, but anon nonetheless)
These days they just have permanent connections into the telco network core that they can switch around at will and without anyone at the telco knowing what's being snoop on, or when. The existence of "secret NSA rooms" at AT&T facilities across the USA are well known - the secret part is what happens inside.
Worked on that too, but in the days that it needed at least a pile of paperwork (the incentive for the telco to keep records was because intercept is a chargeable service).
The thing is, a telco doesn't have a choice. The ability to intercept ongoing communication is something that is explicitly written into a telecommunications license, in any country in the world.
Not that this defends a deplorable enthusiasm of some to actively engage in this, but it is a condition sine qua non to get a license.
"Such lulls in activity are not unprecedented, particularly when it comes to hacking groups from s/China/govt organisations/ "
There, FTFY
TBH I wouldn't be at all surprised if this was Nork in origin, or even one of the larger narcogangs - they all have an interest in knowing who's talking to whom and when.
Not surprised at all that VPN's got missed, why? Its mobile (cell) phone telco(s) lost or out of date paper work seems to be indemic at all telco's who is to say that the new VPN isnt a remote cell station for a VIP, or a temporary one for an event. Very much doubt OPs would pull the plug with out full ass covering paper trails, just incase it put them downwind of the fan...
Plus its a telco, and way to much trust is put into point to point connections between customers and carriers, why yes because we configured it at both ends and have a contract, their is no need for more security or even white listing known gateway IP's, they just would rather pretend that they still own the wires and control all access, rather than be conduits for others to run their services on top of
So usual nonsense of modest security at the front end, and once you cross that magic employee's only line all notions of security go out the window...
"So usual nonsense of modest security at the front end, and once you cross that magic employee's only line all notions of security go out the window..."
Yup - and THAT is why caller-ID spoofing is so trivial for any company which cares to do the paperwork and connect its own kit. Along with malicious call rerouting, or hijacking entire number ranges from halfway around the world (Nuiean and Chilean area codes being used for London-based porn lines at one point in the late 1990s...)
If you thought BGP security was bad, you aint seen telcos.
Unfortunatly i have seen telco's security upfront (disclosure i work for a small security orientated telco) without naming names once you have swapped BGP routes or got the fibre lit your pretty much free to do what ever you want.
Any of our carriers that wont offer us a TLS enabled trunk get shunted to the dmz on the dmz for them, usually their excuse is that their is no business need or that the overpriced SBC at their end doesnt support TLS (to which i retort, kamailio its open source and perfect for TLS offload, just doesnt have a "friendly" GUI which requires you to run java 6* to access it (which is also why i have never bothered to learn anything but the CLI for any network or security gear and kill the noddy interface at first power on, seriously first command i learn once default passwords have been changed is how to kill the web interface))
*The irony that certain unloved/unpatched cisco ASA's would force you to open that massive a security hole to configure the firewall using the noddy interface is not lost on me, especially when a former head of security i worked with wouldnt configure the devices any other way even though the majority of his other sec policies were sane....
Years ago there was a discussion about this. One author pointed out that even with the cleanest source in the world, if the compiler is compromised, then it can install a back door in the executable. In fact, you even could have the compromise buried in the hardware bios.
Yes, I took part in it. And received massive downvotes when I pointed out that even if you wrote the compiler, unless you had designed the bare silicon yourself you still had no guarantee of security.
Then Meltdown and Spectre came along and I had a couple or directors call me in to ask "how did I know" so far in advance (because I'd also written it into a weekly summary I did around 2011). I didn't "know". I just pointed out that there could be all sorts of vulnerabilities in the CPU itself, so there was a limit to how "secure" you could get.
I stand by that.
or someone operating just like them, perhaps deliberately so
US security firm takes the perfect impartial approach. Tells us what it looks like, but reminds us that "false flag" is also entirely plausible.
This is a sharp and refreshing contrast to the nonsense we expect from politicians and TLAs. A welcome reminder that most of the private sector is still capable of existing outside of government conspiracy.
The question is which telco's.
If it's any of the top 10 telco's in any first or second world country, I would be concerned. Even most of the third world countries top 1 or 2 telco's would worry me.
If it's some Ma and Pa virtual network operator running out of the back of their house with the whole thing held together by chicken wire and the wife's brothers best friends cousin, I'd be less concerned. They're are probably just providing cheap long distance calls as part of a money laundering operation or providing call fowarding for SPAM anyway.
As for VPN traffic not being noticed, a suspect they either depend on VPN's for all their support (external support for small organisations) or they just don't have anything in place to control/monitor the traffic. This is why the size of the company is important in judging how serious these breaches were.
It's a wake up call for ALL telco's to improve their general security - while they may have solid security practices, the telco's they integrate with may not be as careful.
> It's a wake up call for ALL telco's to improve their general security
It's a wakeup call for all Telcos to polish their "Our customers' security is very important to us" line, just in case.
Why would they all of a sudden start throwing perfectly good money out of the window? Did those hacked Telcos lose any money? No, not a cent, so why bother?
Think people are missing something very important. A company has claimed!
If I started my own cyber company and wanted to be noticed I could make some very bold claims that I was responsible for uncovering a major hacking operation spanning the globe.
No telcos named. What is the likelihood that all 10 telcos would cooperate with said company? Calling bullshit on this one. Name-drop chinese hackers to try and get more publicity
They set up VPN do avoid the lag caused by hacked boxes? AFAIK a VPN needs two endpoints. One of them would obviously be located inside the target's network. But where if not on a hacked machine? You need to hack it to create the endpoint since you can't just leave it bumbling in the ear. So where's the difference betweed a rogue VPN machine and a hacked one?
One doesn't raise suspicion when once you've cleared up your initial infiltration and set up a long term Comms path such as an OpenVpn deamon on a box that isn't updated 'because it's telecoms equipment, it's good for twenty years'.
The other *might* get picked up by the daily rkhunter scan, assuming even that's installed....
The more each country knows about the other's secrets, the less likely these countries can take advantage of them for nefarious purposes. If "A" country has XYZ on "B" and "B" has ZXY on "A", and both know it, then there is less risk of someone making a mistake. That is why, James Bond aside, the elimination of each other's spies is not considered good form. In the 1980's, two single actions had more to do with ending the cold war than all the treaties combined. The first was the cover of a National Geographic magazine showing the underground aquifers of the Nile River taken using new ground penetrating satellite based radar - the Russians said "O Fucski, this means they can see where every one of our underground missiles and hidden airbases are". The second was a Russian development having to do with being able to detect even tiny displacements in ocean surfaces from space - The Americans said "O FUBAR, this means all our missile submarines are visible."
I work in telcos for some time and I know that everything is hacked one way or the other.
Governa oblige telcos to tap networks, even if unconstitutional, and even the most respectful countries do it, and if you fail to provide what they want, your license is revoked. At least the Chinese and Russians are honest and the rules are clear and written in the law.
This aside you don’t need to be super sufisticated hacker, how many telcos do a proper background checks on their employees? How many actually have some control? Plenty of cases that employees leave the companies and still have valid and valuable information that can be used easily, as for network admins, is common they leave backdoors like vpn themselves, even to do basic stuff like running torrents at nice speeds. Trust me this is way more common than you think! So would be a piece of cake to get someone employed to do this. Telcos are struggling to get people to work, there is a shortage, so they accept anything these days, and there are very commonly brainless people with privilege access, the service delivery teams is the optimum place, little control, highly transactional, large teams and core access to provision new services, that could very well be a vpn somewhere, no one will notice.
Then there are the poor security practices, starting by lazy leadership that are always the first to break the rules. Typical case all employees have a windows laptop with ad and gpos... except all board of directors and senior leadership that want a Mac and the company can’t monitor those devices properly, but who is going to say the boss is stupid and putting the company at risk?
Finally there are all the backdoors and exploits that can be used in endless tons of old and out of support equipment. Telcos have thousands and thousands of devices out there, is impossible to have the resources to efficiently update the devices, not to mention that that requires planned works and sign off from stake holders, customers and whatever more because of the SLAs and the ITIL processes.
All of this to say that hacking telcos, specially the big ones, is a walk in the park and even a regulator requirement, leave the poor Chinese be :)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
