Google Cloud: Telcos facing marked increase in cyber attacks

Throughout the year, telecoms companies (telcos) are facing an increasingly hostile cyber security threat landscape, according to Google Cloud’s latest security report.

Researchers outlined a rising wave of attacks against telcos, with 85% of the largest 1,000 distributed denial of service (DDoS) attacks mitigated by Lumen in Q1 2023 having occurred against targets in telecoms.

The rising threat of state-backed attacks on critical national infrastructure was linked to the boost in malicious attempts against firms in the telecoms space, while the authors also pointed to the growing sophistication of profit-motivated threat actors as a contributing factor.

In the past year, a number of telcos have been impacted by cyber attacks including a data breach at T-Mobile, another at Australia’s Optus which may have caused ‘systemic ID problems’ for 10 million citizens, and another at TPG Telecom.

Google’s Threat Analysis Group (TAG) has identified China-backed APT groups focusing on telcos and IT service providers, with victims of these attacks mainly based in South, West, and Southeast Asia, alongside the Middle East and Africa.

The findings were published in Google Cloud’s August 2023 Threat Horizons Report. The authors noted that many telcos are unable or unwilling to replace their legacy technologies out of fear that it could impact customer experience or lead to extended downtimes.

Telecoms providers oversee networks that make use of a range of technology generations, including satellite infrastructure and fixed connections. Unpatched equipment is far more likely to open organizations up to cyber attacks that exploit vulnerabilities.

Other risk factors associated with mounting attacks on telcos included the industry’s increasing adoption of cloud services, and cloud-native elements like containers, for better automation, network stability, and reduced costs. Expanding into a new environment can expose them to a range of new threats.

Researchers also warned that the adoption of distributed 5G for private networks, IoT, enterprise networking, and CNI can widen the attack surface of businesses and open them up to new threats.

The authors urged to adopt a zero trust approach to network architecture, which rejects the concept of a hard security perimeter by requiring additional checks for all users and devices must be verified, whether or not they originate within or outside of a given network.

Attackers can launch cyber attacks in the cloud in just ten minutes, and will ruthlessly exploit any lack of oversight over a company’s cloud environment. Kubernetes adoption poses a particular risk if security teams do not properly maintain processes.

Other key findings

The report found that common, user-driven errors were to blame for the vast majority of cloud compromise incidents in Q1 2023.

Credential issues, which may relate to users reusing passwords or storing them poorly, continue to account for over 60% of compromise factors. Poor credential hygiene allows attackers to easily perform credential stuffing and can be remedied with a password manager.

Misconfiguration was linked to 19% of compromise incidents, though researchers noted that misconfiguration is often also an enabling factor for the third-most common cause for incidents: API exposure and UI sensitivity.

For example, if a business configured its firewall or external security tools poorly, it could allow a hacker to easily exploit its APIs.

Google Cloud also recommended that customers examine their domains for malicious activity after discovering 13 customer domains and one GCloud-hosted IP that had been compromised across the quarter.

All were found to have been used to download malicious files, with the IP containing evidence of communications with external malware using abnormal ports.

Official advice for mitigating the risk of being compromised includes the use of endpoint protection tools, which can be specifically configured to detect and remove malicious files in company instances, as well as to regularly inspect domains and ports using a service like VirusTotal.