Cybersecurity in Telecom Networks

How would you stop a stealthy telecom APT like #SaltTyphoon? Most only react when it’s too late. After researching the Salt Typhoon exploit chain, from unpatched routers to covert data exfiltration. I developed a layered security architecture designed explicitly for telecom networks, integrating detection, hardening, and proactive validation at every stage. Here’s how I broke it down: 1️⃣ Edge Routers: Exploit attempts, such as CVE-2023-20198, demand firmware lockdown and a Suricata-based IDS. 2️⃣ Infrastructure Core: Rootkits like Demodex evade traditional detection — NDR and FS integrity checks are critical. 3️⃣ Lawful Intercept Systems: Often overlooked, these mediation layers need strict RBAC and mTLS. 4️⃣ CDR & Subscriber DBs: Protecting metadata isn’t just a compliance task — SQL behavior analytics and field-level tokenization help stop insider-style exfil. 5️⃣ Egress Channels (DNS/TLS): Covert exfiltration over DNS or TLS? We apply deception, beacon pattern detection, and strict egress control. But defense isn’t enough; that’s where X-SCAS comes in. Our platform simulates adversarial behaviors (rootkit drops, DNS tunnels, exploit attempts) to validate if your security controls truly work, not just on paper, but in live environments. Security assurance isn’t a checkbox — it’s an active, evolving commitment. I’ve included the architecture diagram that ties it all together — zone by zone, control by control. If you’re in telecom, infrastructure, or critical services, this might save you hours of design and maybe millions in breach costs. Would love your thoughts on how you are validating your defenses against today’s APTs? DM or Comment if you want a detailed guide on the attack analogy of the Salt typhoon cyber incident with detection, prevention, and hardening guidelines. Proud of the work that we do at #xecuritypulse X-LAB, in preparing practical use cases, aimed to secure National Infrastructure and complement the work of #CISA #tahasajid #Cybersecurity #TelecomSecurity #APTDefense #XSCAS #ThreatModeling #ZeroTrust #SaltTyphoon #5GSecurity #RedTeam #NetworkHardening #SecurityArchitecture #CISA #AIRANALLIANCE #3GPP #GSMA #ORAN

https://lnkd.in/gmHmpKVC AI is not only redefining telecom networks—it is fundamentally elevating the security imperative that underpins them. Building on my recent perspectives on network security and resilience, Ericsson’s whitepaper on “The Network for AI Experiences” underscores a critical reality: as networks evolve to support AI-driven applications, security must be intrinsically embedded—by design, not by exception. We are transitioning toward programmable, intelligent networks where AI workloads span cloud, edge, and device layers. This evolution introduces a new level of complexity: • Expanded attack surfaces driven by distributed and edge architectures • Heightened sensitivity to latency, reliability, and data integrity • Highly dynamic, API-driven environments requiring continuous trust enforcement To securely enable AI at scale, networks must deliver: • Differentiated, SLA-aware connectivity with integrated security controls • Real-time observability with automated threat detection and response • Secure and governed exposure of network capabilities via APIs • End-to-end data protection across increasingly decentralized ecosystems The convergence of AI and telecom is no longer solely a performance discussion—it is a strategic mandate centered on security and resilience. The path forward is clear: future networks must be intelligent, adaptive, and secure at their core. Those who lead will be the ones who embed security across every layer of the AI-driven network fabric. #AI #Cybersecurity #Telecom #5G #ZeroTrust #DigitalInfrastructure

On 13 Nov, the Cybersecurity and Infrastructure Security Agency & the Federal Bureau of Investigation (FBI) released a statement (https://lnkd.in/ezrFy_4j) on the US government's investigation into PRC targeting of telco infrastructure: “PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues." With the investigation ongoing, folks should take basic steps now to protect their personal communications. With gratitude to CISA's Senior Technical Advisor Bob Lord (https://lnkd.in/e-WxWiFF) consider the below steps: - Enable FIDO authentication or FIDO https://lnkd.in/ezzyha7t for email & social media accounts - Migrate off SMS MFA for all other logins. Migrate to FIDO/passkeys if you can, otherwise to an authenticator app - Use a password manager for all passwords. Use a strong pass phrase (https://lnkd.in/ebPpTAU5) for the vault password. - Set a telco PIN to reduce chances of a SIM-swap attack - Update the OS and all apps and turn on auto update Additional tips: 1. Encrypt all text and voice communications (some options): - Signal works well on iPhones & Android phones. - iMessage is great if all your contacts are within the Apple ecosystem, though that’s limiting - Collaboration suites like Google Workspace or Teams can work but don’t always encrypt as you might assume. For example, Teams encrypts data point-to-point, meaning it’s decrypted on Microsoft’s servers before re-encrypting it to the recipient. If you want end-to-end encryption, there’s an option, but it’s off by default and only supports two people on the call. - WhatsApp might be ok for some people based on their threat model but understand metadata it keeps (https://lnkd.in/eQkP-Ety) & how it's used (https://lnkd.in/eiZmxgi4). 2. If you use an iPhone disable these carrier-provided services that increase the attack surface: - Disable: Settings > Apps > Messages > Send as Text Message - Disable: Settings > Apps > Messages > RCS Messaging > RCS Messaging 3. Protect DNS lookups (some options): - Apple iCloud Private Relay - Cloudflare’s 1.1.1.1 resolver - Quad9’s 9.9.9.9 resolver 4. Use recent hardware: Apple (13 or newer) or Google (Pixel 6 or newer) 5. Depending on your threat model, consider enabling Lockdown Mode on iPhones: It will disable some features, but it’s manageable

Following cyber espionage by PRC-affiliated actors against multiple US-based telcos, #CISA and partners have released guidance for telcos, which offers some clues as to what might have happened. The espionage campaign by PRC-based actor nicknamed Salt Typhoon (presumed to be PRC MSS), enabled theft of customer call data records, private communications of government and political individuals, and copying of lawful intercept information, from AT&T, Verizon, and Lumen. In other words, Salt Typhoon were presumably able to spy on US government comms, track everyone's movements and calls, and see who is being wiretapped - potentially for several years. The "Enhanced Visibility and Hardening Guidance for Communications Infrastructure" was released on Tuesday by #CISA, #NSA, #FBI, and cyber agencies from Australia, NZ, and Canada, and includes advice on how to defend telco networks. The guidance states up front that "no novel activity" was observed - the threat actors exploited existing vulnerabilities. At a high level, the key points for hardening are: 🔒 Do not expose management interfaces to the Internet, and make sure they do not use default passwords! This seems to be a problem in a lot of critical infra. 🔒 Keep management networks separate from data networks, and default deny inbound and outbound network traffic that is not needed. 🔒 Deploy security patches (especially on vulnerable Cisco hardware) - note that these attackers are not using 0-days. 🔒 Log authn, configuration changes, and network traffic on critical interfaces, then send logs encrypted to a central logging system (SIEM). 🔒 Use only strong, approved encryption algorithms. 🔒 Use phishing resistant MFA for accounts accessing sensitive systems. For telco customers (ie. everyone!) this means we need to take attacker-in-the-middle threats seriously. The FBI and CISA have warned that SMS and phone calls are not secure, and you should use an end-to-end encrypted messaging app (eg. iMessage/FaceTime, Signal, WhatsApp). I never thought I would see the day!

As reports emerge of Iranian-launched drones reaching targets across the Gulf and beyond — including Kuwait, Qatar, Bahrain, Saudi Arabia, Oman, Iraq, Jordan, Israel, Azerbaijan and the UAE — most analysis understandably focuses on range, payloads, and air-defence interception. But there is another dimension that deserves far more attention. 𝗢𝘂𝗿 𝗼𝘄𝗻 𝗺𝗼𝗯𝗶𝗹𝗲 𝗻𝗲𝘁𝘄𝗼𝗿𝗸𝘀. Many long-range one-way attack drones can fly most of their route autonomously using pre-programmed waypoints. Yet recent conflicts suggest that some Shahed-type systems incorporate commercial communication modules, including cellular connectivity. This creates a troubling possibility. A drone could travel hundreds or even thousands of kilometres autonomously — and then, as it approaches its destination, simply attach to the local mobile network. At that moment, the very qualities we celebrate in modern telecom infrastructure become an advantage for the attacker. Dense coverage. High reliability. High bandwidth. These are the features we expect and demand as everyday mobile subscribers. But they also provide an adversary with a ready-made communications infrastructure inside the very countries being targeted. A drone entering national airspace may suddenly gain access to a 𝗵𝗶𝗴𝗵-𝗽𝗲𝗿𝗳𝗼𝗿𝗺𝗮𝗻𝗰𝗲 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀 𝗻𝗲𝘁𝘄𝗼𝗿𝗸 𝗯𝘂𝗶𝗹𝘁, 𝗺𝗮𝗶𝗻𝘁𝗮𝗶𝗻𝗲𝗱, 𝗮𝗻𝗱 𝗼𝗽𝘁𝗶𝗺𝗶𝘀𝗲𝗱 𝗯𝘆 𝘁𝗵𝗲 𝘃𝗲𝗿𝘆 𝘀𝗼𝗰𝗶𝗲𝘁𝘆 𝗶𝘁 𝗶𝘀 𝗮𝘁𝘁𝗮𝗰𝗸𝗶𝗻𝗴. That connectivity could allow telemetry, limited control updates, mission monitoring, or even the transmission of intelligence back to the attacker. In effect, the drone’s final communications link may not come from the country that launched it. It may come from 𝗼𝘂𝗿𝘀. This is why mobile network signalling analysis is becoming increasingly important. By analysing signalling activity within the network, operators and security agencies can identify abnormal device behaviour and help deny attackers the ability to exploit national telecom infrastructure. Modern conflict increasingly exploits civilian infrastructure in unexpected ways. Telecommunications networks are no exception. Melrose Networks melrosenetworks.com #counteruas #mobile #defence #nationalsecurity

On May 16, a senior cybersecurity official from the Cybersecurity & Infrastructure Security Agency (CISA) revealed some alarming details about recent mobile network attacks in the U.S. The official disclosed that vulnerabilities in the SS7 and Diameter protocols were exploited to track individuals’ locations. These attacks have persisted despite assurances from major telecom companies like AT&T, Verizon, and T-Mobile that their networks are secure. The official’s statements, made in a filing to the FCC, indicate that these attacks are more widespread than the telecom companies had previously acknowledged: they mentioned specific instances where individuals were tracked using these protocols. The revelations have prompted renewed calls for better protection of the telecommunications infrastructure. Senator Ron Wyden has been particularly vocal, urging the government to implement stricter cybersecurity standards. These insights provide a rare and unfiltered view of the major challenges facing U.S. telecommunications security - and they emphasize the need for immediate and robust action to safeguard against such threats to protect our national security.

The Senate Intelligence Committee draft language on telecommunications cybersecurity is now available, responding, most directly, to China's infiltration of US communications networks. If the language survives (a big "if"), it could drive improvement in cybersecurity across the entire telecom sector, using the Congressional power of the purse. Here's how: The legislation would apply to any entity incorporated in the US "that provides telecommunications equipment, systems, or services to an element of the intelligence community." The IC has 18 elements, including the FBI, with offices and other facilities throughout the country, so this essentially encompasses all telecommunications providers in the US. The language would require the director of the NSA to develop for all the elements of the IC standard contractual clauses mandating certain cybersecurity practices. No element of the IC could procure, or renew a contract to procure, any telecom equipment, system, or service without including the contract clauses. Controls to be mandated by the contract clauses: patch management, decommissioning of end-of-lifecycle devices, minimum configuration practices, MFA or equivalent IAM measures, annual threat hunting, and reporting of network device compromises. All very basic stuff, but so far purely voluntary for telecom providers. Here's a link to the bill. The telecom language starts at p. 81. https://lnkd.in/gu4bGH3w

China’s Salt Typhoon Hackers Still Targeting U.S. Telecoms, Exploiting Cisco Routers Despite high-profile exposure and U.S. sanctions, the Chinese state-sponsored hacking group Salt Typhoon continues to breach telecommunications and internet service providers, including two more U.S. telecom firms. A new report from cybersecurity firm Recorded Future reveals that Salt Typhoon has expanded its attacks, now targeting telecoms, universities, and internet infrastructure worldwide. Key Findings from the Report • Salt Typhoon’s Cyber Espionage Continues Unabated: • The group has breached five more telecom companies and over a dozen universities worldwide, including institutions in the U.S. and Vietnam. • Two newly breached U.S. telecom firms include: • A major internet service provider • A U.S.-based subsidiary of a UK telecom company • The hacks occurred between December 2024 and January 2025, following earlier exposure of Salt Typhoon’s attacks on nine major U.S. phone carriers. • Exploiting Cisco Routers for Persistent Access: • Salt Typhoon is now leveraging vulnerabilities in Cisco routers to bypass traditional security defenses. • Hijacking core networking hardware allows attackers to monitor communications in real time, stealing texts, calls, and sensitive network traffic. • Universities Also Under Attack: • Hackers have compromised over a dozen universities, including institutions in Utah and Vietnam, likely for intellectual property theft and espionage. Why This Matters • Mass Surveillance of American Communications: • By breaching U.S. telecom networks, Salt Typhoon can intercept real-time calls, texts, and sensitive data from American users. • This poses a severe national security risk, especially for government officials, military personnel, and critical industries. • Failure of Sanctions to Stop Cyber Espionage: • Despite U.S. countermeasures, including sanctions and public exposure, Salt Typhoon has not slowed its activities. • This suggests that China remains undeterred by diplomatic or economic consequences. • Exploiting Networking Infrastructure for Long-Term Access: • Compromising Cisco routers gives China a foothold deep inside telecom networks, making it harder to detect and remove their presence. • Unlike typical malware-based intrusions, router-level attacks can persist through reboots and software updates. China’s Salt Typhoon remains an active and dangerous cyber threat, undeterred by U.S. sanctions and global exposure. With U.S. telecom networks still compromised, securing critical infrastructure against future attacks will be a top priority for national security officials.

Deepfakes are moving directly into telecom networks and device ecosystems. Voice cloning can already pass call-center verification. Synthetic video slips through remote onboarding workflows. Identity signals trusted for years are becoming easy to fabricate at scale. When fraud happens, investigations don’t start with the attacker. They start with the network. How did this move through your system unnoticed? Telecom operators and OEMs now sit in the attack path. Financial approvals happen over calls. Enterprise collaboration depends on device cameras and microphones. Authentication increasingly relies on signals routed through communication infrastructure. Once manipulated media enters that pipeline, attribution breaks down quickly. Call logs exist. Trust doesn’t. Regulators are responding. The EU AI Act introduces transparency obligations around synthetic media, while frameworks like NIST AI RMF push continuous risk monitoring and auditability. Detection is now operational responsibility. Operators and manufacturers are now expected to: • detect synthetic media early • preserve authenticity evidence • support investigations • demonstrate safeguards during audits Attackers are improving faster than infrastructure upgrades. The question organizations face now is simple: Can you prove your systems saw the manipulation? Teams preparing for this shift are already treating authenticity verification as operational readiness. Platforms like DetectifAI enable real-time audio authenticity verification across calls and digital workflows before fraud or regulatory exposure escalates. Communication infrastructure is rapidly becoming trust infrastructure.

Real-time Security Monitoring Detection and Mitigation in 5G Networks  9 AM EDT Friday July 18 Abstract:  Johns Hopkins University in collaboration with IEEE has been building a security and monitoring testbed for the last year that serves as a proof of concept of some of the security controls in 5G Standalone (SA) architecture. This testbed report highlights the results from four different prototypes addressing cybersecurity requirements for mission critical users. This includes generating, detecting, and mitigating attacks on the control plane (e.g., Next-Generation Application Protocol [NGAP]), the user plane [General Packet Radio Services (GPRS) Tunnelling Protocol User Plane (GTP-U)], Voice over Internet Protocol (VoIP) services (including Session Initiation Protocol [SIP] and Real-time Transport Protocol [RTP]), and service-oriented interfaces within the control plane (e.g., Hypertext Transfer Protocol 2.0 [HTTPv2]). The service providers and enterprise providers will find the results and methodologies from these experiments useful as they plan to deploy security controls either to fulfill the security requirements or further mitigate cyber-attacks on their commercial networks. These security controls and mitigation techniques will help provide desired quality of service to mission critical users in spite of denial-of-service (DoS) attacks. Results from four use cases demonstrate that many of the attacks in the control plane and user plane can be mitigated if proper security controls are applied. As part of this talk, I will provide some technical details about the security monitoring methods, controls, and mitigation. Eman Hammad, PhD Craig Polk Fawzi Behmann Dr. Ashutosh Dutta Web URL - https://lnkd.in/e9XSQupg