• SK Telecom’s disastrous cyber breach has once again shone the spotlight on telco network security
• Beyond systems from some of the major mobile network infrastructure vendors, there are few products that are customised to telco requirements
• National security agencies need to take a longer and deeper look at telco security operations

Some details of the hugely consequential SK Telecom (SKT) hack are still subject to internal investigation and external speculation but other aspects are clear. Last month, a cyber threat group penetrated SKT’s mobile core network and appears to have exploited a vulnerability in a virtual private network (VPN) platform to gain initial access. It then dropped malware onto a home subscriber server (HSS), which allowed large amounts of critical USIM-related information to be exfiltrated, including authentication for keys for up to 23 million mobile customers.

According to reports, at least 250,000 SKT customers have already switched to rival operators. Addressing a National Assembly hearing on 7 May, the company’s CEO, Ryu Young-sang, said that if this number grows to 2.5 million as expected, SKT stands to lose up to 7tn won ($5bn) over the next three years.

A telco is no more or less vulnerable to VPN vulnerabilities than any other organisation. But how a security operations team defends against an intrusion after initial entry is unique in a telco environment. This is due to a combination of factors. These include: The unique suite of telco protocols that are in use; the length of time legacy protocols must co-exist with new ones; the unique sensitivity of telco network functions to the impact of security tools; the volume of endpoints; the volume of traffic that needs managing; and the volume of logs that are generated. 

Telco networks are uniquely complex. And much like rats, cyber threat actors thrive in complex, lightly supervised environments where they’re able to hide.

Given that an HSS was penetrated, one might speculate that better security orchestration and automation and/or better threat detection and mitigation in the core might have spared SK Telecom some – perhaps even a lot – of the pain the organisation and its customers are having to endure with this crisis. 

But a more relevant question now is whether other telcos are any better prepared for this type of attack than SKT. Much of the available evidence suggests they are not. 

Last year, the US authorities identified that the China-backed Salt Typhoon group’s espionage campaign had penetrated nine US telcos and others in several other countries. Even more seriously, the similarly named Volt Typhoon group has been able to embed itself and remain undetected in parts of US critical infrastructure, including the communications sector. 

Volt Typhoon’s prepositioning is intended to enable sabotaging these critical infrastructures in the event of military hostilities between the world’s two leading powers. In a recent post on Bluesky, the former head of the UK’s National Cyber Security Centre (NCSC), Ciaran Martin, called Volt Typhoon “a direct military grade threat to western infrastructure”. 

On the same platform, Chris Krebs, former head of the US’s ​​Cybersecurity and Infrastructure Security Agency (CISA), labels it “the Chinese military preparing for war”.

Relative to the threat level, the maturity of the vendor product market for telco security operations doesn’t inspire all that much confidence either. Generic firewalls have long supported telco protocols such as GTP (GPRS Tunnelling Protocol). There are also many niche firewall products for protecting telco signaling protocols, such as SS7 and Diameter (albeit far too few telcos even use them). 

But at the heart of telco security operations, most teams still depend on the same generic SIEM (security information and event management), SOAR (security orchestration, automation and response) and other enterprise security platforms that everyone uses. These are ‘good enough’, so to speak, except that ‘good enough’ isn’t actually good enough these days.

Excellence in telco security operations requires platforms that are customised to telco requirements. Ericsson and Nokia have at least built customised security operations platforms that are optimised for, and tightly integrated with, radio access network (RAN), transport and mobile core networks.

The Ericsson Security Manager (ESM) is a security automation and orchestration platform positioned mainly on the protection – or ‘left of boom’ – side of the NIST (National Institute of Standards and Technology) Cybersecurity Framework. 

Nokia calls its Cybersecurity Dome an extended detection and response (XDR) solution, positioned more on the threat detection and response – or ‘right of boom’ – side of the NIST framework. It monitors and correlates telemetry from sources, such as logs from network functions (NFs), its own NetGuard endpoint detection and response (EDR) product, and Kubernetes. It builds telecom network threat signatures that it can recognise and act upon. 

With threat actors already using AI for offensive cyber operations, both platforms put AI in the hands of defenders: ESM uses AI to explain gaps in configurations and for compliance recommendations, while Nokia has trained Microsoft’s Copilot for Security on telecom network topologies, as well as attack and defensive playbooks. Cybersecurity Dome even uses AI to code telco attack playbooks. 

Both companies can point to a growing list of telco customers. However communications issued about the sales of these products suggest demand is well below what it should be, given the era we are in now. 

Moreover, these two telecom vendor incumbents – neither of which are cybersecurity specialists – are virtually alone in this product space. They support one another’s mobile infrastructure products though, as you’d expect, these platforms perform that little bit better when deployed with their own network technology systems. 

Nokia and Ericsson can also bundle sales of their security operations platforms in with the RAN, core and other network infrastructure. This can serve as a form of barrier to entry to vendors of security operations platforms that are security specialists, not telecom specialists.

Two years ago, NetScout announced MobileStream and Arbor Sightline Mobile for mobile networks. A year ago, Enea was talking up the potential of “visibility and detection probes” for 5G network functions. But neither company is bragging about sales of these products (or even hinting at such success). 

Over the past three years, three other cybersecurity vendors – including two of the world’s largest – have committed to building telco-focused AI SecOps platforms, only for these commitments to then crash and burn. In the case of one of them, plans for the platform were only shared at MWC25 in March and a week later, it turned out the funding, about which the company executive had been so positive in Barcelona, was being pulled because a lead telco partner had lost interest. 

It isn’t just about the technology platforms, of course: Telcos also need investment in the right people and processes to get the most out of them.

Leading western national security agencies and regulators went to extraordinary lengths to encourage and subsidise the removal of Huawei technology from mobile networks and to underpin investments in Open RAN for greater supply chain diversity. Coming on top of the Volt and Salt Typhoon attacks, one fitting legacy of the SKT hack would be if the ecosystem of telco security operations were now subjected to similar scrutiny.

- Patrick Donegan, Principal Analyst, HardenStance