Major Cyber Attacks Targeting the Telecommunication Industry (2023 – 2…

The telecommunication industry plays a vital role in connecting the world, supporting everything from personal communications to critical infrastructure. With vast amounts of sensitive data and essential services under their belt, telecom companies are prime targets for cyber attacks. While their networks are essential to national security, any breach can expose personal, financial, and government information, making them an attractive target for state-sponsored groups and cybercriminals alike.

“Major telecommunication industry attacks”, illustrated by DALL-E

Recently, a surge in attacks has targeted some of the biggest names in the telecom sector, including Verizon, AT&T, Lumen Technologies, and T-Mobile. These attacks have been attributed to the notorious Chinese APT group Salt Typhoon, which has long been involved in cyber espionage.

With this article, explore the major breaches that shook the telecom sector in 2024 and examine how the industry and government are responding to these growing risks. We’ll also look into the motivations behind such attacks, the methods used by attackers, and the ongoing threats as evidenced by the Dark Web.

Common Telecom Attacks and What’s at Risk

Telecom companies are regularly targeted by cybercriminals and state-sponsored groups due to their access to sensitive information and critical infrastructure. There are several common motivations behind attackers’ exploitation of vulnerabilities in these systems, with the most notable being supply-chain attacks, data exfiltration, and espionage.

• Supply-Chain Attacks: In supply-chain attacks, hackers compromise third-party vendors or service providers with access to telecommunication networks. By exploiting vulnerabilities in software or hardware that telecommunication industry companies rely on, attackers can gain access to critical systems and steal valuable data or install malicious tools for long-term access.
• Data Exfiltration: Data exfiltration remains one of the most prevalent attack methods. Cyber attackers infiltrate telecom systems to steal large volumes of sensitive data, including customer records, communications metadata, and proprietary company information. This stolen data is often sold on the Dark Web or used for intelligence gathering.
• Espionage: Telecom companies are also valuable targets for espionage operations, particularly when the attackers are state-sponsored groups. These groups aim to access sensitive communication networks to gather intelligence, monitor activities, and potentially interfere with national security operations.

The risks of these attacks go far beyond the immediate breach. Disruption of telecom services can have grave consequences, other than service outages, financial loss, and reputational damage. The theft of sensitive data could compromise customer privacy and national security, while espionage activities undermine trust in critical communication systems.

Likely Motivations Behind Telecommunication Industry Attacks

Many cyberattacks targeting the telecommunication industry are driven by strategic motivations rather than purely financial gain. State-sponsored groups typically carry out these attacks with the aim of gaining intelligence, stealing sensitive data, and uncovering surveillance targets. These groups may infiltrate telecom systems to monitor communications, gather information on political figures, or even access the data of government agencies.

Salt Typhoon’s attacks can be described as highly strategic, focusing on long-term access to critical networks required for monitoring and securing communication channels. By gaining control of telecom infrastructure, attackers can compromise sensitive information, disrupt operations, and even influence global geopolitical trends.

For organizations looking to better understand the threats in the telecommunication industry, SOCRadar’s Industry Threat Landscape Report provides a great overview.

SOCRadar LABS, Industry Threat Landscape Report – Stay informed and strengthen your defenses against potential cyber threats with SOCRadar’s actionable intelligence.

This report leverages AI to analyze the cybercrime ecosystem, offering insights that help improve your cybersecurity posture. By identifying the current landscape of threats, the report empowers businesses to take proactive measures and mitigate risks before they escalate.

Recent Major Attacks Targeting Telecommunication Industry Giants

It was reported in July 2024 that the Chinese state-sponsored APT group, Salt Typhoon (also known as GhostEmperor or UNC2286), made a dramatic return after two years of no activity. This highly skilled threat group, notorious for its sophisticated cyber espionage campaigns, reappeared with improved evasion tactics, enabling them to bypass enhanced security measures. Their return marked a new wave of cyberattacks targeting key players in the telecommunication industry, particularly in the United States.

Salt Typhoon has a history of infiltrating critical communication networks and has been linked to the Ministry of State Security (MSS) in China. The group’s primary objective is to conduct cyber espionage by gaining access to sensitive data and intelligence. Known for exploiting security vulnerabilities, the threat group uses various backdoors, including GHOSTSPIDER, along with tools like the Demodex rootkit and Deed RAT, to maintain long-term access to compromised networks.

For more information on this APT group, visit SOCRadar’s Dark Web Profile

In 2024, the group targeted several prominent telecom companies across the U.S., causing significant disruptions and raising concerns over the security of communication infrastructures. The affected companies included Verizon, AT&T, Lumen Technologies, and T-Mobile.

The nature of these attacks highlighted the group’s strategic focus on espionage rather than financial gain. The attackers’ efforts were concentrated on infiltrating critical networks to access sensitive data, including metadata related to communications, calls, and texts. The attacks also extended to high-profile government and political figures, including members of U.S. political campaigns.

The FBI and other federal agencies have been investigating these breaches, with concerns that Salt Typhoon may still have access to certain networks, putting telecom infrastructure at continued risk.

The Latest Wave of Attacks in 2024, Led by Salt Typhoon

The threat group’s most recent campaign gained momentum in October 2024, when it was reported that it infiltrated the networks of Verizon, AT&T, and Lumen Technologies. These attacks were part of an ongoing espionage operation aimed at uncovering American surveillance targets and potentially intercepting sensitive communications. The breach, believed to have started as early as 2022, raised concerns about access to critical data, including private communications and law enforcement requests.

U.S. officials have been investigating these breaches, with some pointing to the involvement of China’s Ministry of State Security. However, the Chinese government has denied any involvement, calling the allegations politically motivated.

This breach has been described as one of the most extensive in U.S. history, threatening the security of intelligence operations and exposing sensitive counterintelligence information.

T-Mobile Also Confirms Breach

Following the intrusion announcement concerning the three telecom giants, T-Mobile confirmed in November 2024 that it was also targeted by Salt Typhoon, but stated that its security measures prevented any unauthorized access or data theft. Nonetheless, the recent attack campaign is said to have impacted at least eight telecom companies in the United States.

T-Mobile also confirmed that it was breached in latest telecom attack campaign (Image Source)

Before these developments, AT&T had already faced a significant breach in 2023, resulting in the exposure of data from 8.9 million customers. The company reached a $13 million settlement with the Federal Communications Commission (FCC) in September 2024, agreeing to strengthen its data governance and supply chain security practices. The recent breaches have shown that much more needs to be done to protect the telecommunication industry.

Industry and Government Reactions

The scale and severity of the Salt Typhoon attacks have received strong reactions from both U.S. officials and the telecommunication industry. Key responses and details are explained below.

Senator Mark Warner’s Statement

U.S. Senator Mark Warner described the Salt Typhoon campaign as the “worst telecom hack in U.S. history.” He emphasized the gravity of the attack, which involved hackers accessing telecom networks, intercepting real-time calls, and exploiting the trust relationships between various networks.

The breach affected fewer than 150 victims, but the data of millions of related contacts is now at risk, with the potential for this number to rise dramatically. This attack wasn’t just about infiltrating communications; it had deep national security implications, including the targeting of high-profile individuals.

Targeted Victims and Infrastructure Compromise

The breach impacted prominent figures, including Donald Trump, JD Vance, members of Kamala Harris’s campaign, and U.S. State Department officials. The recent campaign is not considered election-related, as the telecommunications networks were compromised months or even years prior to the discovery of the breaches.

Hackers gained access to unencrypted communications, including texts, but did not intercept communications on encrypted platforms. This breach has compromised U.S. telecom systems, necessitating the replacement of outdated hardware, including routers and switches, to secure the networks.

Warner compared the scale of the Salt Typhoon attack to previous high-profile breaches like Colonial Pipeline and SolarWinds, noting that its impact dwarfs these incidents in terms of scope and long-term consequences. The attack also highlights China’s ongoing efforts to infiltrate global telecom systems and exfiltrate massive amounts of sensitive data.

The Secure American Communications Act

In response to these breaches, Senator Ron Wyden introduced a draft bill with Secure American Communications Act, aimed at strengthening the cybersecurity posture of U.S. telecom companies. The legislation mandates that the Federal Communications Commission (FCC) enforce binding cybersecurity rules, addressing long-standing vulnerabilities within telecom networks. Key provisions of the bill include:

• Telecom companies will be required to conduct annual security assessments, apply necessary patches, and document their findings and corrective measures.
• Companies must hire independent auditors to assess compliance with FCC cybersecurity regulations.
• CEOs and CISOs will be held accountable for certifying their companies’ compliance with the new security standards.

Wyden’s proposal also reflects frustration with the current state of telecom network security, with the senator criticizing the FCC for allowing telecom providers to set their own security standards, which he argues led to breaches.

A section from the one-pager of Wyden’s proposal, see the full version here.

Global Collaboration on Cybersecurity

In light of these attacks, governments across the U.S., Australia, Canada, and New Zealand have come together to issue joint guidance on defense strategies against cyber threats linked to the Chinese state. The guidance focuses on techniques employed by PRC-affiliated threat actors and offers actionable insights for defending telecom networks from similar future breaches.

The joint guidance is available on the CISA website.

Further Notable Cyber Attacks in the Telecommunications Sector

Beyond the high-profile attacks attributed to the notorious nation-state threat actor, the telecommunications industry has witnessed several other significant cyber breaches in recent times, including:

French Telecom Providers (July 2024)

The French telecommunication industry experienced widespread disruption when several major companies (Alphalink, Bouygues, Free, SFR) became targets of a coordinated cyberattack.

The attackers cut long-distance cables, leading to major service outages across at least six geographic regions. The timing of this attack was particularly damaging, as it coincided with the Paris 2024 Olympics, affecting both fixed-line and mobile services.

AT&T (via Snowflake Cloud Workspace, April 2024)

AT&T was hit with another significant breach in April 2024, involving its Snowflake cloud workspace. The breach resulted in the leak of metadata from 109 million customers, including sensitive call and text records. This exposed personal data that could have been used for geolocation, posing severe privacy risks.

The attackers demanded a ransom for the deletion of the stolen data. The FBI was able to arrest individuals connected to the theft, but the incident highlighted the growing risks associated with cloud-based services and the importance of securing such environments.

Orange Spain (January 2024)

Orange Spain suffered a breach that led to significant service disruption. The attack targeted the company’s critical network configuration systems, affecting mobile browsing services.

Researchers discovered that the breach was facilitated by stolen credentials exfiltrated from an employee’s computer, which had been infected months earlier by Raccoon-type infostealer malware. As a result, this incident can be classified as an insider threat.

Kyivstar (December 2023)

In December 2023, Kyivstar, Ukraine’s largest telecommunications provider, suffered a crippling cyberattack that left over millions of customers without service. The incident coincided with President Volodymyr Zelenskyy’s visit to Washington for military aid discussions.

The outage disrupted vital services, including air raid sirens and banking operations, affecting credit card transactions and ATM access nationwide. While the Russian hacktivist group KillNet claimed responsibility for the attack, cybersecurity experts expressed skepticism about their assertion.

Xfinity (via Citrix Bleed Vulnerability, October 2023)

Lastly, Xfinity, one of the largest internet service providers in the U.S., reported a significant data breach affecting nearly 36 million customers. Hackers exploited vulnerabilities in Citrix technology, gaining unauthorized access to sensitive information, including usernames and hashed passwords, before Xfinity could implement a patch.

CVE-2023-4966, aka Citrix Bleed, led to the Xfinity breach (SOCRadar Vulnerability Intelligence)

In addition to these attacks, it is also important to mention that the U.S. authorities recently arrested a suspect linked to the Scattered Spider group for hacking two telecom companies, alongside a financial institution. The suspect gained unauthorized access to these organizations’ networks by impersonating IT support and using credentials obtained through phishing.

These recent cyber attacks demonstrate the ongoing vulnerabilities within the telecommunications sector, highlighting the need for stronger defenses against both internal and external threats. With the rise in sophisticated tactics, including phishing, insider threats, and exploitation of vulnerabilities, the industry must prioritize comprehensive security measures to protect critical infrastructure and sensitive data.

Dark Web Insights: Threats to the Telecommunication Industry

The Dark Web remains a key resource for cybercriminals seeking to buy and sell stolen data, and that includes sensitive telecom information. By monitoring the Dark Web, organizations can uncover threats targeting the telecom sector, such as the sale of compromised data, unauthorized access to networks, or the exchange of leaked communications. SOCRadar’s Dark Web News module tracks such activities, providing insights into emerging threats before they escalate.

Let’s take a look at some significant Dark Web findings related to the telecom sector:

Sale of Unauthorized Root Access to ISP Server 

On December 12, 2024, a hacker forum posted an offer for unauthorized root access to a server belonging to an American ISP company. The seller claimed to have access to the server’s firewall and was asking for a fixed price of $500, despite the server’s potential revenue being estimated at $1 billion.

Access sale post for an ISP in the U.S. (SOCRadar Dark Web News)

Sale of Unauthorized Access to Lyca Mobile and Lebara UK 

A December 11, 2024, post on a hacker forum reported the sale of unauthorized access to retail panels for Lyca Mobile and Lebara UK, two major Mobile Virtual Network Operators (MVNOs) operating in France and Germany.

Retail panel sale post for Lebara and LycaMobile (SOCRadar Dark Web News)

Black Basta Ransomware Attack on BT Group

In early December 2024, BT Group, a leading UK telecom provider, confirmed that its BT Conferencing division was attacked by the Black Basta ransomware group. This attack led to the shutdown of certain servers within the division. Although BT reported no impact on its core services, the ransomware group claimed to have exfiltrated 500GB of sensitive data, including financial records, personal documents, and Non-Disclosure Agreements (NDAs).

BT Group plc was listed on Black Basta data leak site

Sale of Telstra Employee Database 

On November 24, 2024, a hacker forum post indicated the potential sale of an employee database from Telstra, one of Australia’s largest telecom providers. The database reportedly contained details of 47,300 employees, including names, email addresses, and job titles.

Employee database of Telstra was allegedly posted on a hacker forum (SOCRadar Dark Web News)

These incidents underscore the growing value of telecom network access and the increasing exploitation of vulnerabilities in both critical infrastructure and partnerships with service providers. From unauthorized access to internal systems and MVNO panels to the sale of employee data, attackers are targeting vital elements of telecom infrastructure. This highlights the significant risks posed by internal breaches and the potential for further attacks, such as phishing or deeper network infiltration. All in all, proactive monitoring is essential to protect against these threats.

With SOCRadar’s Dark Web Monitoring module, you can proactively detect threats targeting your telecom infrastructure before they escalate. Stay informed about breaches, stolen data, and the evolving tactics used by cybercriminals, enabling you to protect your organization’s sensitive data and maintain a strong security posture.

SOCRadar’s Dark Web Monitoring module

Here are the key capabilities of SOCRadar’s Dark Web Monitoring module:

• Real-Time Threat Detection: Continuously monitors the Dark Web for exposed or compromised data, offering early alerts for potential breaches.
• Sensitive Data Tracking: Identifies and alerts on the sale or leaking of critical data like personal, financial, and corporate information.
• Emerging Threat Identification: Detects new threats and Dark Web discussions targeting your organization or industry, enabling proactive defense.
• Actionable Intelligence Reports: Provides insights and intelligence for informed decision-making and quick incident response.

Conclusion

The rising wave of cyber attacks against telecom companies, particularly those attributed to Salt Typhoon, highlights the critical vulnerabilities within this sector.

From sophisticated espionage campaigns to ransomware and internal breaches, telecom providers are increasingly targeted for their sensitive data and infrastructure. The responses from industry leaders and government officials emphasize the urgency for enhanced cybersecurity measures. Legislation and global cooperation on defense strategies are steps toward securing telecom networks.

Proactively addressing these threats through regular security assessments, timely patching, and Advanced Dark Web Monitoring will be crucial in protecting sensitive communications and maintaining trust in global telecom systems.