Insider-Assisted Attacks Prove Costly for Telecoms

What comes to mind when you think of the word “insider”? Many of you may be reminded of Edward Snowden, the computer intelligence consultant for the NSA who leaked classified information to the press and fled. But the word “insider” can mean different things depending on the context.

First, let's take a look at the definition as it relates to an “insider threat.” An insider is an employee, former employee, contractor, or business associate who has inside information concerning the organization's security practices, data, and computer systems. Some malicious insiders voluntarily help cybercriminals while others are coerced through blackmail.

Telecom sector insiders are typically cellular service provider employees and staff working for Internet Service Providers (ISPs). The former are recruited in order to gain access to subscriber and company data, or SIM card duplication/illegal reissuing, while the latter are chosen to support network mapping and man-in-the-middle attacks.

Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion, and carelessness. While insider-assisted attacks are quite rare, the impact of such attacks can be devastating as they provide a direct route to the most valuable information.

Insider Threat Campaigns

Here’s a look at some recent examples of insider threat scenarios. Every few days, posts like these are published in various cybercrime forums:

Insider Threat Campaigns_01

This threat actor (“Sherlock Holmes”) is a new member in the forum and has only published two posts to date. The following post shows us that there are much older and experienced players in the field.


Insider Threat Campaigns_02

KHAN Service, a highly rated threat actor and a member in several cybercrime forums, such as bhf.io, probiv.bz, opencard.us, and promarket.pw, religiously posts similar-looking posts every few days on different forums, baiting people who work in telecom companies. The motivation? Money and a “guarantee” that the matter will remain confidential. What is in it for the victims? Money, thrill, challenge, and information.

Insider Attacks

Now let’s take a look at some instances in which telecom companies were breached with the help of an insider:

Gotta Pay the Bills: AT&T Workers Took $1 Million in Bribes to Unlock 2 Million Phones
Several employees of AT&T were bribed to assist a hacker in unlocking over 2 million customer cell phones in a scheme that spanned the years 2012 to 2017. The hacker, Muhammad Fahd from Pakistan, offered to pay over $1 million in exchange for the company employees’ help in unlocking AT&T’s proprietary locking software. He communicated with his insiders through several social media channels. Those who agreed to cooperate were given phones and IMEI codes, which were later used to install malware on AT&T's network. The insiders were willing to help Fahd develop and install tools to unlock the phones from remote locations. Fahd was arrested in February 2018 in Hong Kong. AT&T reported that it had lost about $5 million a year from Fahd's phone unlocking scheme.

TalkTalk Placed Personal Data From 21,000 Customers at Risk
“TalkTalk”, a UK-based company, exposed over 21,000 customers to information leakage by granting unauthorized access to third-party support staff. According to the investigation, “rogue” staff at a large IT services vendor, who resolved high-level complaints and network problems on TalkTalk’s behalf, used an online company portal to gain unauthorized access to customer data – including names, addresses, and phone numbers. The incident occurred back in 2014 and the leak was later discovered due to multiple complaints from customers who informed the company that scam callers had been targeting subscribers under the pretense of providing technical support. As a result, the company was fined £100,000 by the Information Commissioner’s Office (ICO). Not long after, the company was fined again for £400,000 due to security failings that led to the company being hacked in October 2015.

Disgruntled Former Employee of Ofcom Leaks Sensitive Information
“Ofcom” (The Office of Communications) is the regulator and competition authority for the UK communications industries. It regulates the TV and radio sectors, fixed line telecoms, mobiles, postal services, and more. During 2016, it was revealed that a former employee of “Ofcom” leaked sensitive data about various TV companies to his new employer, a major broadcaster. It appears that the former employee downloaded six years worth of data before leaving the company as revenge for being fired. However, instead of exploiting the data, the new employer decided to alert Ofcom regarding the stolen information.

Conclusion

Insider threats pose significant risks to businesses across industries, but particularly to telecommunications companies. The value of the phone and Internet communications that they provide makes them desirable targets in general, but the emphasis on SIM swapping attacks as a way to defeat SMS-based two-factor authentication for individually targeted phone numbers makes insider threats a more cost-effective access vector for would-be attackers. Telecommunications companies should establish insider threat programs if they have not already done so. Such insider threat programs should place greater emphasis on employees whose access could enable SIM swapping attacks in particular, which are a primary reason for criminals to recruit them. Also, two-factor authentication users should switch from SMS-based methods to mobile authenticator apps, which are not vulnerable to SIM swapping attacks.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.