Breach, Data Security, Supply chain

Wave of telco attacks tied to bad third-party vendor security hygiene

mobile phone code

Cyberattacks targeting telecom companies have been relentless since the new year. Since Jan. 1, over 74 million private records tied to customers of AT&T, T-Mobile, U.S. Cellular and Verizon have spilled onto the dark web.

In a report posted Friday, Cyble Research and Intelligence Labs point to six previously reported data breaches impacting telecoms since the start of 2023. The vast majority, researchers report, were carried out by exploiting security weaknesses on third-party vendor networks.

"Third-party breaches through vendors, software, and MSPs (managed service providers) caused several prominent incidents," wrote researchers. "These third-party breaches can lead to a larger scale supply-chain attacks and a greater number of impacted users and entities globally."

Telco hit list

One attack cited is believed be the work of ransomware group CL0P. Researchers said the cybergang targeted CGM LLC, a SaaS provider that works with the FCC’s Affordable Connectivity Program. CL0P, researchers said, claimed to have found a third-party vendor’s unsecured cloud storage that held 37 million AT&T client records.

Third-party security risks are often hard to identify by downstream firms. Those third-party risks have also resulted in some of the past years biggest cyberattacks. Vendors, software and managed service providers have each caused prominent incidents, including the Okta breach in March 2022, the Kaseya hack in July 2021. Recently a leak of 77,000 Uber employees’ data was tied to third-party Uber vendor Teqtivity.

Third-party risk takes spotlight

It has long been understood that third-party vendors are part of an organization’s attack surface, said David Kris, advisor at Theon Technology. Kris said in 2014, Target’s point-of-sale devices were hacked through the company’s air conditioning provider. Kris added that third-party vendors are especially part of the attack surface when they hold the organization’s sensitive data.

“As the cyber environment becomes more fraught, we are now witnessing an aggressive push for more and more demanding cyber incident reporting requirements across the board, particularly in areas such as financial services, telecommunications, and other sectors designated as critical infrastructure, in laws passed by Congress and in regulations adopted by agencies like the SEC,” Kris said.

“Federal officials are openly calling on companies to ‘stop passing the buck’ on cybersecurity, and the forthcoming National Cyber Strategy is expected strongly to push this approach and the need for stronger public-private partnerships, including in incident reporting,” he said.

Breaches go beyond data

Andrew Barratt, vice president at Coalfire, added that when data appears to have been stolen from a national carrier, it’s often a vast undertaking to unpick where it comes from. Barratt said unlike credit card data, which can be triaged by the card payment networks via transactional meta-data, it’s very difficult to do the same with PII data. 

“If a threat actor hasn’t been detected ahead of a breach, or hasn’t been detected because access comes from a trusted third party that may have been breached it’s a vast amount of work unpicking the possible places that a breach may have occurred,” Barratt said.

“Meaning that the timing of reporting the specifics may take longer than typically people would like. Having worked with many telecoms companies around the world, I know first-hand this is something they take incredibly seriously and most see their status as ‘national carriers’ as a major hallmark,” Barratt said.

Bud Broomhead, chief executive officer at Viakoo, said the Cyble report shows that the threat landscape has shifted to more diverse types of threats. Broomhead said adversaries are interested in telco customer data to perpetrate additional crimes such as SIM jacking.

A January attack against T-Mobile took advantage of weak security used by a third-party vendor's API to pilfer 37 million customs' personal data. "This attack led to targeted SIM swapping attacks on Google Fi, which uses T-Mobile as its primary service provider," according to the report.

Another concern is that telecom networks "are widely used for multi-factor authentication and for sharing of business data (specifically email), making them attractive targets,” said Broomhead. 

“While there have always been efforts to breach telecom systems the increased reliance on them for security has increased the frequency of attacks against them, and has led to more reporting requirements when a breach occurs. Without question, the timing of when a breach is reported matters: the faster the better to shrink the vulnerability window.”


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.