The enemy within! 38 per cent of targeted cyber attacks involve telco employees

Martyn Warwick
By Martyn Warwick

Aug 23, 2016

via Flickr © JeepersMedia (CC BY 2.0)

via Flickr © JeepersMedia (CC BY 2.0)

  • Some telco and ISP insiders, (quite a lot actually), betray their employers
  • Bribes and blackmail equally effective weapons
  • Makes insider trading look almost benign
  • International Olympics Committee hit by 800 MILLION cyber-attacks during the Rio Games

A new research report from cyber-security specialist Kaspersky Lab reveals that gangs of highly sophisticated cyber-criminals are recruiting people working at various levels in telcos and service provider companies to become suborned insiders allowing cyber-attackers to gain access to network and subscriber data. The report shows that 28 per cent of all DDOS attacks and 38 per cent of targeted cyber-attacks involve skilled, knowledgeable and often either disaffected compromised  or just plain greedy employees.

Sophisticated the criminal gangs might be but they are not above the good-old criminal stand-by's of threats, intimidation and the use of a bit of blunt force trauma when they consider it necessary. Insider targets that won't or can't be bribed are blackmailed into betraying their companies because, irony of ironies, the gangs use compromising personal information they glean from open sources as ammunition to scare telco employees into compliance.

Unsurprisingly, telcos and network operators are a prime target of cyber-criminals because they hold what is, quite simply, an unbelievably enormous treasure trove of sensitive data on both customers and the workings and security of the telco and ISP networks themselves.

Kaspersky Lab reveals that the cyber-gangs have a range of tactics and strategies they use to suborn telco employees. The first approach is to tempt disenchanted and thus potentially willing workers to betray their employers via hidden 'underground' message boards on the dark web or via the intermediary services of crooked 'middlemen' recruiters. If that fails, the gangs quickly fall back to the blackmail option - indeed, the report says that for many gangs blackmail is becoming the premier weapon of choice because it is so easy to apply, ensures continuing compliance and costs nothing to enforce.

In the US the FBI says that after the enormous online data breaches perpetrated by the likes of Edward Snowden and Ashley Madison it is easier than ever for cyber-criminals to gain access to compromising private data that can be used to blackmail telco and service provider employees and on June 1 this year, the agency even went so far as to issue one of its Public Service Announcements specifically warning of the risk and impact of 'data-leak related extortion".

The cyber-gangs also have a hit list of telco job titles and responsibilities attached to them. Those most heavily targeted are executives who have direct and fast access to subscriber and corporate data - be that in a fixed line or mobile operator. On the mobile front, access to SIM card data is the most highly prized of all. If an attempt on an ISP is about to be mounted the gangs will try to get at staff who could be used for network mapping and so-called 'man-in-the-middle' attacks.

The human factor is the weakest link

Denis Gorchakov, one of the senior security experts Kaspersky Lab, comments, “The human factor is often the weakest link in corporate IT security. Technology alone is rarely enough to completely protect the organisation in a world where attackers don’t hesitate to exploit insider vulnerabilities. Companies can start by looking at themselves the way an attacker would. If vacancies carrying your company name, or some of your data, start appearing on underground message boards, then somebody somewhere has you in their sights. The sooner you know about it, the better you can prepare.”

To help forestall and protect against insider threat Kapersky Lab advises that telco and service provider staff should be made officially cognisant of responsible and acceptable cyber-security behaviour as well as danger signals indicating a cyber attack may be imminent or may actually be in train. Monitoring of employee compliance with required cyber-security regimes should also be introduced. Furthermore, the companies should have in place robust and policeable policies on corporate and individual email addresses. It is also advisable to use a threat intelligence service to understand why cyber-criminals might be looking at a company and to determine if an employee has been tempted or forced into providing insider information to criminals.

Other recommended actions are to properly and comprehensively restrict access to the most sensitive internal information and systems and to conduct regular and sweeping security audits of IT infrastructure.

Only this morning, Mohamad Amin Hasbini, a senior security researcher at Kaspersky Lab has revealed that the company has discovered a spear-phishing attack campaign that has been targeting companies for over a year now. Mr. Habini has traced it back to March 2015! Kaspersky Lab says "Operation Ghoul", as the spear-phishing attack is called, has hit upward of 130 companies in the industrial, engineering and manufacturing sectors in more than 30 countries around the world. Each ongoing attack was seeking a chink in security armour though which money or data that can be monitised through criminal channels could be stolen.

It seems the attack followed by what, now, is a classic format where top- and middle-ranking executives get a cleverly spoofed email that most will happily open because it is from a reputable and trusted address and company with which the telco or ISP has previously done business. However, the email contains hidden and compressed executable malware that opens the door through which criminals can steal (and continue to steal if the breach is not detected) highly sensitive and invaluable information such as passwords, keystrokes and FTP server credentials.

The report emphasises that insider threats can a myriad of forms. One example given is of a rogue telecoms employee who leaked an inv credible 70 million phone calls from prison inmate thus totally breaching client-attorney privilege and occasioning highly expensive retrials.

A second example is that of a support engineer at an SMS centre who was identified as being a frequent visitor to a notorious DarkNet forum where telco and ISP employees advertise their ability and availability to intercept messages containing one-time passwords for the much criticised and oft-compromised two-step authentication necessary to log in to customer accounts. Nasty.

And there is no space here to examine in any detail the nation-state attacks perpetrated most notoriously by North Korean and China, but the US, the UK, Australia, New Zealand and many other countries do exactly the same thing on their own behalf.

Finally, the International Olympics Committee has just announced that it was hit with 800 MILLION cyber-attacks during the course of the recently ended Summer Olympics in Rio de Janeiro! That is four time the rate endured at the London Games of 2012.

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.