The accusation comes from a US/Israeli company, Cybereason, which says that the culprit “was able to completely take over the IT network [of operators] and customise the IT infrastructure … complete with their own VPN [virtual private network] inside of the network”.
Mor Levi, vice president of security at Cybereason, told Capacity: “This is a global operation. We are continuously tracking it. We were able to identify another network [attacked] last week.”
Capacity has been unable so far to seek corroboration from mobile network operators or from industry organisations, as Levi (pictured) spoke on condition that we did not reveal the information until the early hours of Tuesday morning.
She has told some companies directly, though she would not identify them to Capacity. “We have a legal obligation [to some of them] as they are our customers,” she said. But Cybereason has also warned other mobile operators, even when they are not clients.
The company has seen attacks against operators in all parts of the world, except for North and South America – though Levi could offer no reason for that omission. “It’s just that we haven’t seen any evidence. That could change.”
Levi, like many senior executives in Cybereason, is a former staffer at so-called “unit 8200” of the Israeli Defense Forces (IDF) – often described as Israel’s equivalent of the US National Security Agency (NSA) or the UK’s Government Communications Headquarters (GCHQ).
The alleged – but unnamed – culprit is backed by a nation state, said Levi, pointing to similarities to the so-called APT10 [advanced persistent threat] attacks which have been linked to the government of China. However Levi was unwilling to point her finger at China: “A lot of these tools were leaked a few years ago.”
She warned that CDRs – including location data – can be a significant intelligence asset. “A lot of people in the IDF know how you can use this type of information,” she said.
“But you should also think about the cellular network as critical national infrastructure.” She said the techniques Cybereason claims to have exposed would allow a network to be brought down. “They could pull the plug. This is something you don’t want to happen.”
What should operators do? Use strict monitoring, said Levi, especially of the links between the IT network and the operational network. So far Cybereason has not identified financial damage, but “there will be a huge cost in remediating”, she said.
When operators move to 5G “they need to be able to have visibility [of threats],” she added. “Most companies have only basic visibility from a security perspective. Firewalls are not enough.”
Cybereason has posted more information online here.