1. Protecting ISPs is today an high priority from a nation’s national security perspective.
2. Internal research activities have shown that all the ISP-related intrusions that are attributable to organized adversaries (or APT) are aimed at digital espionage operations towards third parties or at accessing customer data / database.
3. In 2019 there has been an increase in activities against this sector by threat groups suspected by industry of operating on behalf of the China, Russia and the DPRK interests. Locally, activities in the Middle-East have been observed by groups suspected of operating on behalf of the Iranian government.
4. In 2019, I participated in the analysis of “DeadlyKiss”. According to what observed, it’s an uncommon piece of malware family active since at least 2016. Its victims appears to be exclusively entities operating in the telecommunications sector. The ability of this threat to remain so in the shadows for all these years (prior to publication its detection rate was extremely low with only one vendor able to
detect it via ML algorithms) makes us reflect on how some threat actors can use specific digital weapons exclusively for the compromise of specific sectors / targets.
Trend Insights: DNS Hijacking Attacks
As of 2019, the security community engaged in tracking a new threat trend aimed to perform activities commonly known under the name of Domain Name System (DNS) hijacking. These operations were against targets operating in the telecommunications and ISP sector. Since the DNS is a fundamental protocol of the Internet, if an adversary succeeds in the hijacking of a DNS infrastructure it could subverts the intended route of the traffic and redirect it to an unintended destination. The primary scope of this type of attack is to facilitate the unauthorized access to third party targets or to enable further malicious activity. Usually, indeed, when talking about an attack on DNS infrastructures it is usual to identify two distinct groups of victims: the primary one could be represented by public entities or national organizations, ministries, critical infrastructures operating in the energy sector etc. etc., while, the second one can be represented by DNS registrars, telecommunication companies, and ISP.
The targeted attacks against ISP and in general to companies operating in the telco sector should be considered very seriously. The greatest threats are represented by actors looking for customer data for monitoring capabilities and for exploiting of a so valuable infrastructure to conduct espionage operations against third parties. Indeed, a compromise of an ISP network could allow further intrusion activities as the actor could be able to re-route network traffic and / or communications to actor controlled malicious infrastructure. Finally, the amount of data that could be collected by compromising the network of an ISP is enormous and it could be used in various intelligence activities as well as in espionage activities of peoples, entities and organizations.
About the Author and full paper details
Emanuele De Lucia is a passionate information security professional. He’s worked as tier-two security analyst in the Security Operation Center (Se.O.C. or S.O.C.) of one of the largest Italian telecom companies, as code security specialist in one of the world’s largest multinational corporations and as Information Security Manager for one of main facilities of an european organization. Actually, he is the Head of Cyber Threat Intelligence Division at Telsy S.p.A. (TIM Group). With a strong technical background, he is specialized in cyber threat intelligence, reverse engineering and incident response. He holds a bachelor degree in Computer Science and a master in Computer Security and Digital Forensic Investigations. He also got an Advanced Computer Security Certificate from Stanford University. He is certified CISSP, L|PT, CIFI, CEPT, CREA.
Full Paper: https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view