Are French telecoms infrastructures like sieves? While it describes the sector as “supercritical”, the National Information Systems Security Agency (Anssi) says, in a report, that it has been informed of more than 150 security events in the world of telecoms these three recent years, nearly fifty of which required his intervention.
Two thirds of the events concerned affected “dstrategic companies in the sector ”, some of which required “ a significant operational commitment from Anssi”.
The agency identifies three main families of threats. In his eyes, the most worrying concerns espionage operations with data exfiltration. “ Attackers known to be linked to Chinese and Iranian strategic interests are documented as very active in this area » even if the incident history shows that “ the sector is regularly targeted by more diverse strategic actors. »
A national operator attacked by a Chinese group
In the case of the “Soft Cell” operation, hackers linked to China would have sought to exfiltrate Call Detail Records (CDR), which include call recordings with their sources, destinations and call durations, as well as as information on the devices used and the physical location of the devices, allowing the analysis of the behaviors and relationships of targeted people.
During this operation, the attackers would also have searched for data contained in the Active Directory of the compromised operators, as well as billing information. In France, Anssi handled the compromise in September 2020 of a national operator through an attack procedure (MOA) reputed to be Chinese, “ for the probable purpose of espionage. »
Core network compromise
In recent years, the agency has observed a worrying increase in compromises affecting equipment, particularly routers at the core of operators’ networks. “ These attacks, of a high level of sophistication, are often carried out over a long period of time and are difficult to detect. They compromise the integrity of the operators’ network and allow attackers to have direct access to the communications of strategic entities and individuals.. This impacts the confidentiality of the data exchanged.
Satellite equipment is also being misused by certain groups, this time linked to Russia. to carry out espionage attacks against targets around the world.. In the case of the Turla MOA, this involves spoofing IP addresses of terminal equipment and intercepting downlink traffic, often unencrypted, from satellites to terminals. Authors ” would exploit weaknesses in protocols without compromising any satellite equipment. »
Hacktivist destabilization operations
Another typology of threat: attacks with the aim of destabilization. This time, they are mainly the work of hacktivists who practice distributed denial of service (DDoS) blackmail and the exposure of personal data associated with political demands. “ Larger-scale operations and sabotage purposes remain a major threat to the sector.r”, estimates Anssi.
For this purpose, “ The attack that targeted the KA-SAT satellite communications network on the night of the Russian invasion of Ukraine in February 2022 showed the massive impact of a sabotage operation “. Attributed to Russia, it put several tens of thousands of modems out of service, including a large number in France.
This threat of sabotage is in addition to the physical destruction regularly observed in the sector, whether intentional cable cutting or physical destruction of infrastructure. Malicious acts can occur in the context of armed conflict, such as in Ukraine, or not.
During the night of April 26 to 27, 2022, the French fiber optic network suffered acts of vandalism. Hacktivists – from the ultra-left according to The JDD – cut, in a concerted manner and in three different regions, long distance cables. In Grenoble, Besançon, Strasbourg and Ile-de-France, Free and to a lesser extent SFR customers have seen their connection severely disrupted.
Fake relay antennas
Finally, Anssi discusses attacks with a profit motive “frequent in the telecommunications sectors”. A significant part of them concerns communications fraud. Subscribers are redirected to premium rate numbers without their knowledge or victims of scams, with cybercriminals spoofing national telephone numbers. “ Cases of spam or SMS phishing have also been linked to fake mobile relay antennas allowing massive messages to be sent to mobile phones located in a specific geographical area. »
Professional customers are targeted by attacks targeting internal equipment such as automatic switches or PABXs. “ By exploiting known vulnerabilities, attackers can make calls, or even set up low-cost ephemeral international calling services sold on the internet, which use the networks of a victim company. »
A “supercritical” sector
Beyond indirect reputational risks, operators are also targeted by opportunistic attacks targeting the mass of personal data held by operators. “ The data then exfiltrated is resold by cybercriminals or is used in ransomware attacks as blackmail into data disclosure. »
Anssi does not relieve operators of their responsibility. She criticizes them for favoring “ the availability of their services, sometimes to the detriment of data confidentiality and the integrity of information systems “.
The size of operators’ networks and their heterogeneity following successive acquisitions and the significant technical debt accumulated “ complicate their security and make it even more crucial to take into account the threats targeting this sector. » The latter is qualified as “supercritical” because of the systemic consequences that an incident on this type of infrastructure can cause.