Amy Ciminnisi: 0:00

Welcome to The Talos Takes podcast, where we discuss Talos latest research and security news. This podcast is for everyone from the C-suite to the frontlines. Hello everyone. Welcome to this episode of Talos Takes. I'm your host, Amy Ciminnisi.

Amy Ciminnisi: 0:18

Today we're exploring a topic that sits at the heart of our digital lives: service providers. They are the backbone companies that deliver the connectivity that we all depend on. Every day, whether that's for work, communicating with our loved ones, or running critical infrastructure. But with that central role comes enormous risk. In the past few years, service providers have become some of the biggest targets for cyber attackers across the world. We've seen incidents where major telecom networks were disrupted, leading to widespread outages and serious ripple effects across entire countries. Why do these attacks get so much attention, and why are they often considered the scariest type of cyber threat? This is because service providers are the foundation for every other sector. If a telecom network goes down, it's not just phone calls that stop working. Power grids, banks, hospitals, all of them depend on reliable connectivity. We're talking about scenarios where an attack can have true life or death consequences. So what's making service providers such attractive targets? What kind of threats are they facing? How are they responding?

Amy Ciminnisi: 1:36

To help me unpack all of this, I'm joined today by Martin Lee, who leads Talos’ efforts in Europe, the Middle East and Africa and has worked with service providers across the globe. Martin, how are you doing today? Thank you for joining.

Martin Lee: 1:51

Hi, Amy. Yeah, doing doing very well. Thank you.

Amy Ciminnisi: 1:53

Wonderful. So as I was researching this topic, I kept coming across discussions about it and OT or operational technology converging, especially for service providers. How does this convergence create new opportunities or challenges for threat actors? And what kinds of goals do attackers against service providers usually have?

Martin Lee: 2:21

Cyber attacks are not acts of God. They don't just randomly happen behind each one that that ultimately there's an individual maybe part of a group or a wider organization who was trying to achieve some kind of goal. And if we can understand what that goal is, then we can start understand how they might go about their their attacks, why they might be hitting certain, certain sectors or certain organizations, and especially how are they going to go against, how are they going to conduct their attack? How are they going to go against the target? So when it comes to service providers and as you know, there's many things which which come under that umbrella, we've got to think of the opportunities that that presents for the bad guys. Notably, there's just the generic ones, criminal threat actors using ransomware. Then someone who's a service provider may be, you know, hosting many websites or platforms. Very lucrative target, because if you can get your malware onto that system, you disrupt not just one end user, but many. So you multiply your potential payback in terms of, a ransoms that you could that you can collect. So that's that that's a big one. Mostly when we're thinking about, service providers, we're thinking about APT. So nation state threats, threats. And there's many, many things an apt threat actor can do against a service provider. Any APT is looking to advance the geopolitical, objectives of their nation state. Typically in one of two ways good old fashioned espionage. So stealing information or causing causing disruption and sowing discord and destabilizing a society. If we think about the first one. Stealing data, stealing information. Where do we find lots of information about lots of different organizations and people? Yeah, with the service providers, telecoms providers have a very specific set of information, which is particularly interesting to apt. Threat actors is the call record. Who is calling who? If you are involved in espionage. Certainly interested in individuals. You've got two big questions on your mind. Who are they talking to? What are they talking about? Now, that call record, subscriber call record won't help you with what they're talking about. But it will tell you who is talking to who. So if potentially you're following a dissident network which might be active in your own country and you know, you've got a high profile dissident in a third party, country. Well, if you can hack the service provider, get that call record, we can find out who that individual is phoning, which will tell you about their wider network and especially who are they bouncing back in their parent country? Where this dissident network might be, might be operating. So for an internal security service that that's a very, very useful thing to know. In other terms, if we're doing, economic espionage, knowing which organization is phoning different ones or if there's different patterns of activities, which might be might be interesting, certainly potentially looking for, who might be a good agent that could work on your behalf, maybe someone who's, who's well connected with government, with lots of incoming and outgoing phone calls, you might be able to target or you might get a hit with different kind of attacks, such as, you know, info stealers on their laptop to find out what, what's what's going on. So lots of lots of things there. Also, let's face it. Internet traffic powers our lives. You know, everything that we do, we're reliant on it now. We're where all of this information, our health records, our financial record, banking, absolutely. Everything goes through the internet, along with telecoms cables, ultimately between service providers. If you can disrupt that, then you can bring to a halt things like banking, networks, organizations, all sorts of things. So there's lots of capability there for, a threat actor that wants to destabilize, our world.

Amy Ciminnisi: 7:05

Yeah. Let's actually talk on that a little bit more. Physical threats aren't something that we hear about as often in cybersecurity. Can you elaborate on what these physical threats look like for service providers?

Martin Lee: 7:19

So often in cyber security, if we think about that, that stack of of activity, normally we're thinking towards the top of the software stack and thinking about vulnerabilities in software. We talk about service providers and we thinking about that next tier down on the hosts that that software is being is being run on. We also need to think below that on the physical cables that are connecting different service providers along which that information is, is flowing. These can be quite vulnerable. So certainly in Europe there's been a number of attacks, over the years, both against terrestrial cables that have been, sabotaged and cut. There's also a big risk on subsea cables that carry, telecommunications between countries or between continents. There is only so many of them. And we we know where they come onto land, because these are well mapped locations and yes, there is the opportunity for, bad guys, particularly, motivated nation states to, to, to cut these cables and sever international communications. I've seen a number of occasions of this over the years with shipping vessels, accidentally nudge, nudge, wink, wink and dragging their anchors over these cables and, accidentally breaking them. Yes, it can happen. There have been fishing, vessels that have accidentally cut, cut cables if they're doing bottom dredging, sometimes. Yeah. This these accidents look a little, tiny bit suspicious. But again, if you are an apt threat actor, if you're looking to destabilize, a country cutting it off from the rest of the world and, and disrupting those data flows, is a very effective way of doing it.

Amy Ciminnisi: 9:23

Yeah. And risks to service providers are kind of constantly changing. They're very different than they were, for example, 3 or 4 years ago, as you mentioned, Talos has found that a lot of actors are, you know, rather than conducting espionage, they are silently gaining access to networks. And they're just waiting. Why are they waiting to attack?

Martin Lee: 9:47

When the, Well, they're waiting. What? They're waiting for who? We don't. We don't know. Is it an attack? They just gaining access, maybe selling it on to, to someone else. We we we we don't know. But those large, pieces of of equipment that, that connect wholesale connections and, and which, you know, any of our internet connections or our phone lines go, go into, you know, basically they're big versions of the routers that I've no doubt you've got flashing lights for by the, you know, by your front door, at least in our case. And these devices, well, they don't look like computers. They, they are basically computers that are very specialized computers that just do one job. Wherever there is software, there are going to be vulnerabilities. And writing software is hard. Getting software to do what it is supposed to do is really, really difficult. Getting it to what it is supposed to do and never do anything else is really, really, really hard. So if you look hard enough, and if you were to put the resources that might be available to a nation state into reverse engineering 1 to 1 of these devices and finding vulnerabilities, in it, yes, almost certainly you would find a vulnerability, and potentially using that vulnerability, you'd be able to gain access to this system. No thanks. Again. They are computers. They've got an operating system. They've got three CPU cycles. So if you can get onto these systems. So the routers, the switches, the firewalls, anything like that, you can then use that as a point of ingress into the network. That's that's behind it. And use that as a way of attacking other systems. You could just break it and destroy that system so that it no longer functions and no more traffic can go through it. If it's a router or switch, you can change where those connections are going to. So your users think that they're connecting to one system. They're asking to connect to system A, they think they're connecting to a system. But in fact, the infrastructure between the user and that system reroutes them onto system B. There are many opportunities for the bad guys to be able to mess with, with connections. If you were a nation state getting access on to one of these things for some purpose, that might you might not necessarily know what that purpose is. You might not necessarily know when you would need to have that access to be, to just be able to get access there. And, you know, just line lining things up so that if you were called on, you could say, yep, we've got already got access to this system. We know what's behind it. We know the capabilities of what we can do with it. That would be a very, very useful capability. So we do know that there are nation states that are currently doing that with, with our infrastructure. As with everything, there's there's always big sticky fingerprints at the scene of the crime if you're looking for them, but you have to actively look for them. And if someone's just got access to something and isn't doing anything, then that's a very, very good way of making those sticky fingerprints harder to find.

Amy Ciminnisi: 13:34

Yeah. So flipping it around to the defender's side in your experience, are there any particular signs that defenders of service providers should be paying attention to, you know, how do how do you find that silent attacker once they're in?

Martin Lee: 13:53

Well, the biggest thing is, is, is finding those vulnerabilities that the bad guys, are abusing. When a, provider of equipment releases a patch, for goodness sake, patch your systems. And also look at those systems that have been that were previously unpatched to see if there's been unauthorized changes made to them. Changes always leave traces potentially in the logs. So you might be able to go back through, through your logs and find evidence of, of a vulnerability being exploited. Typically the first thing that a threat actor would do once they've got access is, is mess with the logs so that they, they hide evidence of their activity, but that hiding the evidence also leaves traces. So we can detect that. So any changes in the authentication or auditing function, of the device should be, should be raising red flags. Also the the other big weakness of any threat actor is that command control traffic that they need to phone a home. They need to know that they've got access. They they might well want to issue instructions or conduct some form of reconnaissance. All of that leaves traces that can't that can be fine can be found. So being aware of what those traces look like, what do the fingerprints look like? How would you find them? Would be the place to start. And that might be as simple as, as an unusual activity in the logs, unusual ports being opened, unusual tunnels being opened into systems. All of that should be, raising a red flag.

Martin Lee: 15:39

But the biggest thing you've got to do patch, patch, patch, patch, patch, patch. As soon as a patch comes out, apply it. Because that's telling you that there is an issue that is known that you need to fix, and you can be absolutely certain that the most sophisticated threat actors, if they don't already know about that vulnerability, will be analyzing the patch to try and identify that vulnerability and end to exploit it. Yes. And we talked about this in the last episode, and we'll also be discussing it in our Year in Review for 2025. But the time in between a vulnerability being announced and it being exploited is getting shorter and shorter. We saw this particularly with React2Shell in December.

Amy Ciminnisi: 16:27

Related to that, one of the things that we talk about actually in a defending service provider video, that I will put down in the show notes, is that there are certain trade offs that service providers need to consider when they are trying to prevent attacks. For example, when you are trying to patch, you sometimes have to choose downtime, which can really impact a lot of your customers. All of your customers, even. So, how do you how should service providers navigate making those difficult decisions?

Martin Lee: 17:01

Everything in security is a trade off. You know, getting through my front door and having to use a key and, and the risk of losing my keys is a front is a trade off about having an insecure, secure front front door. So, yeah, with with with everything in life, we, we have to make trade offs. Anything involving security? Certainly. Anything involving patching. Yes. There is a risk that you either, you know, one that patch might have, unwanted consequences and might lead to, to downtime. It might mean taking a piece of equipment out of action for a time. As you as you quite rightly point out, you need to balance this against what would happen if you don't patch, you know, and and it's not an easy trade off. Everyone needs to think about it from their own point of view and their their own perspectives. Personally. Yeah. You got a patch? You got a patch? Yeah. Because the outcome of a successful a successful attack, having a hostile nation state on your network infrastructure, really? This isn't a good thing. And it's probably worse than than having a dozen upset customers phoning you because that that their lines have gone dead. The the other, other way that I, I would like people to think about it is also to think about in terms of redundancy, you know, any kit that does have, a finite, finite life. What would happen is, there was a fault in the power supply of that system and actually this device that you're reliant on that you think all this is so reliant, I can't patch it. What would happen if it just went up in smoke? You know, it does happen. These things have a finite life. You know, really have built in redundancy, have double redundancy, have two things into buying one big box to deal with everything. Two medium size. That actually you can take one down if it breaks, and have the other one pick up the remainder of the load. Or if one needs patching, you can patch it at a at a quiet time. Apply the patch on one, get that one up to speed, take the other one out of service and patch it so that you do have that load balancing and you have redundancy. In these systems, it's good engineering. We we do need to think about redundancy. You do need to think about what's what's going to happen if you need to take one of these systems out, potentially just for a few, you know, 30s a minute, maybe a couple of minutes in order to patch it. That's a possibility if you don't patch it and it gets hit with a nation state threat actor and, you know, potentially the police come and take it away for forensic analysis for a month or six. You know, that's that's going to be even worse. So so think again. With everything in life, I'm a professional pessimist. Think about the worst thing that could possibly happen and then mitigate against that model. How how expensive is that? Is that worst case scenario going to be and use that as the basis upon which you you model your security tradeoffs?

Amy Ciminnisi: 20:27

Yeah. So would you say that if you were a security leader at a major service provider right now, patching is the top priority?

Martin Lee: 20:37

I would say to anyone patch, patch, patch, patch and patch again, the the key to any piece of sort of cyber security really is getting the basics right. You know, don't worry about the most expensive bit of analytical cyber security software if you haven't got your patching down. So yes, patching is that fundamental foundation of any cyber security strategy, no matter what industry that you're in, you've got a patch those systems, and you've got to actively hunt out those vulnerable systems that that are patched, either to get them patched, which is the ideal thing if you can't do it. And yes, there are circumstances where you might not be able to patch something, you know, put a, put a firewall. Next generation firewall that's filtering the traffic coming through so you can detect attempts of exploitation, or you can reject anything apart from traffic that you, that you know is good or is as certain as you can in order to, to remove bad stuff. If you can do that, you'll be in a very, very good position. And I would certainly do that first, before you start worrying about other things in cyber security, because you haven't got that right. The bad guys are going to find those vulnerabilities and then boom therein.

Amy Ciminnisi: 22:07

Absolutely. So we hear all the time that cyber security and incident response are team sports. So service providers are working with industry partners, government agencies and even their competitors. Now to identify and respond to threats. Can you talk a little bit about some examples of how these collaborations work in practice and like what kinds of partnerships or information sharing have been really effective?

Martin Lee: 22:37

So I think the best example that we have that we have of this, and certainly from from the telecoms perspective, is, is the story of VPN filter? This this was a massive global attack that didn't happen because we stopped it. So in 2019, if I remember correctly, he identified a router that was making command. It calls out. So, this router on its own was connecting to websites which clearly is very, very suspicious to say to say the least. So in partnership with, with law enforcement, we, we used our capabilities of the visibility that we have within, within towers. And also our position as Cisco in the, in the wider, ecosystem partnering with, with law enforcement so they can do what, what they do to research this issue in greater detail. And we identified that there were, 500,000 of these compromised routers, predominately small office and home office systems throughout, throughout the world that had been, infected with this particular malware that was sitting on the routers and was being prepared for something. So what that something was we never found out because we stopped it. We know the capabilities that it gave to the bad guys. We know that, yes, they were able to break, the routers and render them completely inoperable. We know that they were able to conduct reconnaissance attacks downstream of that router. So looking at the the networks that it was connected to, we know that they could use these infected systems as, a platform to launch further attacks. Both internally against the internal network and externally. We also know that, they could use it as part of a Tor network. So potentially to hide, network traffic to see, to see where, it's to hide its origin. So you can basically like money laundering network traffics or stolen data to pass it through this, this network, they did have one fatal flaw, though. They, they had a single command control infrastructure network. So this malware on the router would call out to an image that was hosted on a on a third party, image host hidden within the metadata of that image. That was the data that you could decrypt to find the IP address of the command or control network. There was also a, a domain that they had registered that was like the fullback to find out the command and control, and what we were able to do was, was to work together with the entire security industry. So not just Cisco, but working together with, organizations that a commercial context would be considered all competitors, to coordinate the release of signatures to detect this malware and also to work together with law enforcement. So at the same time we were that the entire industry was releasing signatures, law enforcement were using their powers to confiscate the command or control infrastructure and basically decapitate this botnet so that the bad guy could no longer issue, commands through it. So yeah, in doing that, we we stopped this attack. There were a few hints about what it might have been used for, shall we say. Certainly. There were, indications within the code, that it had been developed with Russian military intelligence. There was also some overlap. So this was prior the, invasion of Ukraine, and there were some indications that it might have been being prepared for something to do with attacking or disrupting, Ukraine. You can read our many blogs that we wrote on it on the, over the time. But yeah, this is the type of thing that the bad guys do, and this is the type of thing that we look for and try and stop them.

Amy Ciminnisi: 27:01

Yeah, I think that works perfectly into our closing. I really want to end this episode by, just thanking all of the service providers out there and letting you know that you are not alone. Talos sees you. We see the pressure that you're under to make sure that everyone is connected and these systems are safe. And just know that there are organizations, you know, like Talos and others out there to support you through a lot of these decisions and really difficult situation. So thanks for all you do. Martin, any final thoughts?

Martin Lee: 27:35

Yeah, no. The other thing I was going to say, Amy, you know, we we're here to help, you know, our role as part of, you know, as Talos is, is to keep the internet going. Keep the lights on across the internet. We are very, very interested in compromise routers and switches. If you do have something, that you think is particularly interesting, reach out to us. Certainly if, if you're a Cisco customer, you can reach out to, security and trust organizations through your, account manager. And we would get involved potentially in that investigation as well. We we have helped out service providers before and, been able to give them indications of when attackers were were attacking. And so, you know, reach out. We will all united against the common foe, which is the bad guys. Nobody wants the bad guys messing with the service providers, disrupting their activity or hosting malicious activity on genuine service providers. Infrastructure. So, yeah, let's, you know, let's just work together, get in touch. I mean, as our tagline goes, our job is your defense. So yeah. Yeah. Well, thank you so much, everyone for tuning into this episode of Talos Takes. We'll be back in another two weeks with another episode. And until then, stay safe out there.