For the past several months, suspected Iranian hackers have been rooting around the IT systems of at least three telecommunications companies in Pakistan, accessing data servers when it suits them, according to cybersecurity company Symantec.
The report, published Tuesday, points the finger at a group called Greenbug, which used virtual “tunnels” to quietly stay connected to victim machines. The telecom data offered a trove of information to spy on targets in Pakistan, and the hackers were determined to access the companies’ networks.
“As we would close one door, they would attempt to come back through another,” said Jon DiMaggio, senior cyberthreat analyst at the Symantec Enterprise Division, recalling Greenbug’s drive to stay on the Pakistani telecom companies’ networks after being discovered.
Analysts told CyberScoop that the report is another example of the challenges some telecom providers have in keeping spies out of their networks. Eighteen different hacking groups linked to various governments went after telecom companies in 2019, according to Symantec. Other analysts have reported similarly rampant activity. In one case, suspected Chinese spies breached about 10 cellular providers in Africa, Europe, the Middle East and Asia.
While U.S. telecom giants like AT&T and Verizon can invest heavily in countering such hacking threats, not all telecom providers around the world have the same resources. Some are adequately trained and resourced to repel attacks, while others are easier targets, said Adam Meyers, CrowdStrike’s vice president of intelligence.
If cyber-espionage groups do manage to burrow into a telecom network undetected, Myers added, “then you have lots of different targets you can collect on. It’s more bang for their buck.”
Hackers associated with the Iranian government are perhaps best known for data-destroying attacks like the 2012 assault against oil giant Saudi Aramco, which damaged tens of thousands of computers. But groups like Greenbug have made a living in quietly infiltrating telecom firms in the Middle East and South Asia. And they’re not the only hacking team linked with Tehran to do so.
“It’s likely a high priority intelligence requirement for several teams to target telcos in the Middle East given the value of the data and the country’s national security objectives,” said Saher Naumaan, a senior threat intelligence analyst at BAE Systems focused on Iran-linked groups.
The spying has gone beyond traditional phone companies to include managed service providers, the remote networking vendors that so many companies around the world rely on. Another suspected Iranian espionage group, Tortoiseshell, targeted several IT providers with clients in Saudi Arabia last year.
As the cat-and-mouse games between spies and telecom firms continue, researchers hope to catch the hackers more quickly after they compromise networks. They have their work cut out for them. The amount of intelligence targets that rely on a given telecom network — whether dissidents or foreign diplomats — means those networks will continue be in the crosshairs, Meyers said.