Denmark Warns of Increased State-Sponsored Campaigns Targeting European Telcos

Danish cybersecurity agency raises threat level for telecom sector to high due to rising threats across Europe

In a pressing warning, Denmark's cybersecurity agency has raised the threat level for its telecommunications sector from medium to high. This move comes amidst an increase in state-sponsored campaigns targeting European telcom companies. The Danish Social Security Agency published a new threat assessment that highlights the risks facing telecom providers in Europe.

"The extent of cyber espionage against the telecommunications sector in Europe has likely increased," reads the threat assessment. "Danish telecommunications and internet providers must therefore also be aware of attempted cyber attacks by state hackers."

The Danish telecom sector is facing multiple cyber threats, including espionage, destructive attacks, cyber activism, and criminal hackers. Nation-state actors are targeting telecom providers to access user data, monitor communications, and potentially launch cyber or physical attacks.

"For example, cybersecurity firm CrowdStrike has described how state-sponsored hackers have compromised telecom providers and used telecom-specific malware and protocols, such as GTP, to control and communicate with the compromised systems," continues the assessment.

This warning is not new to Denmark. In 2021, the country issued its first public European warning on a Chinese spying campaign called Salt Typhoon. Although the agency didn't explicitly name China, the U.S. previously reported that European targets were compromised.

According to recent reports from Cisco Talos researchers, China-linked APT group Salt Typhoon uses a custom-built utility, dubbed JumbledPath, to spy on network traffic of U.S. telecommunication providers.

The Salt Typhoon hacking campaign has targeted telecommunications providers in several dozen countries and has been active for 1–2 years. The group has breached major U.S. telecom firms, exploiting stolen credentials with limited vulnerability exploitation.

In mid-December 2024, the researchers also spotted the Salt Typhoon group performing reconnaissance against multiple infrastructure assets operated by a Myanmar-based telecommunications provider, Mytel.

Other notable cases of state-sponsored campaigns targeting European telcos include:

* The breach of Charter Communications and Windstream. * The compromise of at least eight U.S. telecommunications firms. * The attack on dozens of countries, including the U.S., Italy, the UK, South Africa, and Thailand.

The Salt Typhoon hacking campaign has used generic routing encapsulation (GRE) tunnels to maintain persistence, evade detection, and stealthily exfiltrate data by encapsulating it within GRE packets.

In addition to the Salt Typhon group, another China-linked APT group, LightBasin, is also targeting mobile telephone networks around the globe. This group has used specialized tools to access calling records and text messages from telecommunications companies.

Security researcher HaxRob discovered a previously undetected Linux backdoor dubbed GTPDOOR, which is specifically crafted to carry out stealth cyber operations within mobile carrier networks.

The GTPDOOR backdoor uses the GPRS Tunnelling Protocol (GTP) for C2 communications, leveraging not off a PDP context (GTP-U, userplane) but specific GTP-C signalling messages with its own extended message structure.

Denmark's warning is a reminder of the increasing threat posed by state-sponsored campaigns targeting European telcos. As such, it is essential for telecom providers to remain vigilant and take proactive measures to protect themselves against these threats.

In conclusion, Denmark's warning serves as a wake-up call for the European telecommunications sector to increase their cybersecurity posture and prepare for the growing threat landscape.

Stay informed about the latest security threats by following me on Twitter: @securityaffairs.