The latest annual Cyber Threat Overview from the Agence nationale de la sécurité des systèmes d’information (ANSSI) warns that spies are gaining access to telco systems. The report’s introduction states:
Attacks aimed as espionage have also been characterised by the sustained targeting of telecommunication devices and infrastructure.
The section of the report about threats to telecoms began by emphasizing the challenge that comms providers face.
The targeting of telecommunications operators for espionage purposes is intense.
ANSSI also used the word ‘intense’ to describe a distributed denial of service (DDoS) attack upon a telco.
The telecommunications host and operator OVH was also targeted by an intense DDoS attack which was never claimed and whose goal could consequently not be determined. These attacks are demonstrative of the capacity of DDoS attacks to periodically disturb essential infrastructure.
Bad actors who attack telcos exhibit deep knowledge of telecoms systems.
In the attacks observed by ANSSI, attackers have frequently used malicious codes developed for very specific technologies or devices. The limited reusability of such tools highlights the importance of the means deployed. What is more, in many of these cases the attack was detected several years after the initial compromise.
ANSSI observed how the methods to attack telcos are tailored to the target.
One of these incidents resulted in the compromise of a telecommunications operator’s mobile core network. The intrusion set employed to achieve this compromise possessed a thorough understanding of the sector’s specific communication protocols and concentrated its activities on unconventional devices or on devices which are rarely supervised by security solutions. These characteristics are indicative of the intrusion set’s sophistication and significant adaptability. The investigations conducted by ANSSI reveal the alignment of the intrusion set with strategic state interests.
ANSSI was not specific about who was to blame for individual attacks, but they signaled who lies behind a rise in cyberwarfare.
The telecommunications sector as a whole has been regularly and substantially targeted by attackers reputedly linked to China, particularly in Asia. Though the numerous cases of compromise reported by security vendors have involved the exfiltration of data, the nature of the leaks has not always been specified.
Over the past two years, ANSSI has processed several incidents affecting entities of the French telecommunications sector and aimed at espionage.
The report highlights how one particular telco’s firewall and information systems (IS) were compromised.
…in 2024 ANSSI processed the compromise and encryption by ransomware of a telecommunications entity. An edge device — a Palo Alto firewall vulnerable to CVE-2024-3400… was the target of multiple malicious login attempts over the course of a several months. Once the device had been successfully compromised, attackers used the access to lateralise themselves across the IS. This incident affected the victim’s operations for several months and required significant reconstruction efforts. It should be noted that in this case, the vulnerability was exploited over two months after the publication of a patch by the vendor and of an alert by the CERT-FR.
A bad actor who subverts a network for espionage may later choose to disrupt communications services.
The Agency has also assisted an operator whose satellite communications infrastructure had been experiencing in-depth compromise for several years. During this attack, which was likely conducted for espionage purposes, attackers had the capacity to carry out acts of sabotage whose consequences might have proven critical given the high availability requirements of satellite infrastructure. The information extracted from intercepted communications potentially allowed the attacker to conduct other attacks, or may have benefited other groups of attackers linked to the same strategic actor. According to ANSSI, it is very likely for this actor to keep targeting this type of infrastructure. As such, the Agency recommends that actors of the telecommunications sector pay closer attention to this threat.
One motive to hack a telco is to spy on particular individuals.
…ANSSI has assisted a telecommunications operator in the eviction of a malicious actor which had been present on its IS since — at least — December of 2022. The level of privilege reached by the attacker — who was known to primarily target entities of this sector — granted them significant lateralisation, espionage, and sabotage capabilities on the victim’s IS. The Agency’s investigations confirmed that one of the objectives of the attack was to intercept the communications of specific targets.
The English-language version of ANSSI’s fourth annual Cyber Threat Overview can be found here.



