Secret Service Telcom Takedown Raises Concerns About Mobile Net Security

The takedown of a massive outlaw telecom network in the New York City metro area by the U.S. Secret Service has raised concerns about the security of the nation’s mobile infrastructure.

The Secret Service announced Tuesday that it had dismantled a network of electronic devices located throughout the New York tristate area that were used to conduct multiple telecommunications-related threats directed towards senior U.S. government officials.

It added that the operation led to the discovery of more than 300 SIM servers and 100,000 SIM cards across multiple sites.

In addition to carrying out anonymous telephonic threats, it explained, the “SIM farms” uncovered by the investigators could be used to conduct a wide range of telecommunications attacks, including disabling cell phone towers, enabling denial-of-service attacks, and facilitating anonymous, encrypted communication between potential threat actors and criminal enterprises.

It also noted that early analysis of the SIM information reveals cellular communications between nation-state threat actors and individuals that are known to federal law enforcement.

“The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated,” Secret Service Director Sean Curran said in a statement.

Bad Crops From SIM Farms

The network of servers and cards dismantled by the Secret Service formed what’s commonly known as a SIM farm. “A subscriber identity module, or SIM card, is used to securely store a mobile subscriber’s identity and key, which are used to identify and authenticate the authorized user on mobile devices,” explained Austin Berglas, global head of professional services at BlueVoyant, an enterprise cybersecurity company in New York City.

“A SIM farm is a system that is capable of managing and holding thousands of SIM cards in order to produce bulk messages or phone calls,” he told TechNewsWorld. “There are a very limited number of legitimate use cases for SIM farms, and they are a common component to many of the ongoing large-scale, international vishing, smishing, and phishing campaigns.”

Berglas, a former FBI assistant special agent for the New York City metro area, explained that by constantly rotating the use of SIM cards, the system can successfully send hundreds of thousands of messages while averting being shut down by mobile service providers for sending too many messages.

In addition, he continued, these systems can facilitate large-scale robocall or vishing operations and backstop threatening communications using anonymized infrastructure. The devices can also be used to generate and verify a large number of automated accounts, or bots, on online platforms. “These fake accounts are then used to spread misinformation, phishing links, and harmful messages,” he explained.

“Although the group responsible has yet to be identified, this disruption of the New York City-based network is significant due to the cost, size, and malicious capability of the infrastructure,” he said. “Denial of service, espionage and surveillance, swatting, and serving as a base of operations for criminal groups or nation-state actors are all applicable use cases for this network.”

“Farms have been used to spread disinformation about elections, policy, and current events,” he added. “With close proximity to the United Nations, there is potential that this network could have been used to compromise, disrupt, or alter sensitive communications.”

Targeting Critical Infrastructure

The farms can also be used to disrupt cell service. “With SIM servers controlling banks of SIMs, you can generate many attempts to connect to a tower and overwhelm it,” said Marty Puranik, founder and CEO of Atlantic.Net, a cloud service provider headquartered in Orlando, Fla.

“It’s possible that the servers are able to duplicate SIMs from real phones, so the phone network could be flooded with calls appearing to be coming from legitimate users,” he told TechNewsWorld. “If you overwhelm the towers, people wouldn’t have cell service to communicate via voice, text, or data.”

Kern Smith, vice president of global solutions engineering at Zimperium, a mobile security company headquartered in Dallas, explained that the SIM network dismantled by the Secret Service shows how adversaries are targeting mobile connectivity to disrupt critical infrastructure.

“With the ability to disable cell towers and block EMS or police response, the threat goes beyond communications,” he told TechNewsWorld. “It’s about undermining public safety. This reinforces why mobile must be treated as critical infrastructure, with layered defenses to detect and stop advanced threats.”

The underlying problem is that most of the cell phone infrastructure was not designed with enough security in mind, especially as practiced by today’s attackers, noted Roger Grimes, a CISO advisor at security awareness training provider KnowBe4 in Clearwater, Fla.

“Back in the day, the biggest thing preventing hackers from hacking cell phone networks was the cost of the equipment to do it,” he said. “It might run a hacker many tens of thousands of dollars. Then, portable Stingray units were priced at about $10,000 to $15,000. That quickly went down to five thousand, brand new. Now, anyone can buy a used one for a few hundred dollars, and the rogue SIM equipment being found today is in that price range.”

“So,” he continued, “what was once a terribly high barrier to entry to even begin hacking a cell phone network is now within reach of everyday criminals, much less nation states.”

High-Value Takedown

However, the magnitude of the network dismantled by the Secret Service was beyond the scale of small-time hackers. “The costs associated with establishing a capability like the one described by the U.S. Secret Service are massive,” observed John Strand, of Strand Consulting, a consulting firm with a focus on telecom, in Denmark.

“It is a large, expensive, and, not least, complex installation,” he told TechNewsWorld. “Just getting 100,000 SIM cards and activating them is a big deal.”

“Three hundred servers and 100,000 SIM cards are non-trivial. This was a well-funded and coordinated operation,” added Trey Ford, chief strategy and trust officer of Bugcrowd, a crowdsourced bug bounty platform based in San Francisco.

Shelves filled with seized SIM boxes and related equipment from a large telecom threat network dismantled by the U.S. Secret Service throughout the New York tristate area. (Image Credits: U.S. Secret Service)

“Focused disruption, degradation, and potential data capture of telecom networks timed in proximity to the UN General Assembly is a high-value takedown,” he told TechNewsWorld.

Jason Hogg, executive chairman of Cypfer, a global cybersecurity firm that specializes in incident response, ransomware recovery, digital forensics and cyber risk management, noted that the thousands of SIM cards and many SIM servers show not only the scale of effort that bad actors are willing to undertake, but also illustrate the convergence of physical infrastructure with digital networks when it comes to launching large-scale cyberattacks.”

In this case, this would have enabled the bad actors to disrupt telecommunications, a core infrastructure to our national security, via cell towers, as well as initiate cyberattacks,” he told TechNewsWorld.

“The threat to key infrastructure that our nation faces goes well beyond just telecommunications,” said Hogg, a former FBI agent. “We need a paradigm shift from a prevention perspective, though, where we acknowledge the real and persistent threat that the physical and digital footprint together creates. We must start to require unrestricted red teaming and penetration testing of companies in critical infrastructure industries.”

Mobile Networks: The Next Cyber Battleground

Anyone who thinks that mobile isn’t the new frontier in cybersecurity, whether it’s nation-state or criminal activity, should pay attention to this, warned Rocky Cole, COO and co-founder of iVerify, a mobile security software developer, in New York City.

“One hundred thousand SIM cards able to send tens of millions of anonymous SMS messages per minute demonstrates a clear threat to both critical mobile infrastructure as well as to enterprises looking to protect employees from SMS-based social engineering threats,” he told TechNewsWorld.

“This bust shows that we’ve hit a new level in mobile threats, which demands new and more advanced tools to counteract them,” he said.

Cole added that exploiting telecommunications infrastructure on a large scale is a hallmark of nation-state activity, particularly in China. “Whether it’s Salt Typhoon compromising U.S. core networks, or Volt Typhoon exploiting mobile interconnect points, the mobile device increasingly represents the target of choice for advanced threat actors because of the ever-growing intelligence value of information on those devices.”