Telecommunications Cybersecurity Malaysia

The telco threat profile — critical infrastructure with a uniquely wide attack surface

A mobile network operator or ISP is not simply a large enterprise with a big IT estate. It is simultaneously a communications infrastructure provider, a personal data processor for millions of subscribers, a wholesale interconnect partner, and — under Malaysian law — a National Critical Information Infrastructure operator. The attack surface is correspondingly wide, extending from the customer-facing web and app layer all the way to physical tower sites, the radio access network, the mobile core, OSS/BSS back-office systems, and signaling interconnect with foreign roaming partners.

The threat actor set is diverse. Organised financial crime targets subscribers via SIM-swap fraud — hijacking phone numbers to intercept SMS-based banking OTPs. State-aligned actors have demonstrated the capability and willingness to exploit SS7 and Diameter signaling to track subscriber location and intercept communications without physical access to the network, using access acquired through compromised interconnect partners. Ransomware operators have begun targeting OSS/BSS systems specifically because an operator desperate to restore billing and provisioning functions presents a compelling extortion target. Insider threat — from contact-centre agents enabling SIM swaps for a fee, to field engineers with physical access to remote tower equipment — is a persistent and undermonitored risk in the telco environment.

nCrypt approaches telco security through four concrete threat scenarios that drive assessment scope and detection investment:

• SS7/Diameter signaling abuse. An adversary with access to an interconnect point — available on the grey market for a few thousand dollars — uses MAP (Mobile Application Part) queries to extract subscriber home location register data, intercept SMS OTPs, and track the real-time physical location of targeted subscribers. The attack is transparent to the victim and leaves no trace in the operator's customer-facing logs. Detection requires a dedicated signaling firewall or monitoring layer on the SS7/Diameter interface, with alerting tuned to query-velocity anomalies and off-net subscriber interrogation patterns. nCrypt's signaling assessments help prepare for GSMA FS.11 and FS.19 hardening guidelines.
• SIM-swap and eSIM provisioning fraud. A fraud ring identifies high-value targets — typically individuals with known cryptocurrency holdings or significant banking balances — and social-engineers the operator's retail or contact-centre channel to transfer the victim's number to an attacker-controlled SIM. In parallel, eSIM provisioning abuse targets the SM-DP+ remote provisioning interface, exploiting weak authentication or rate-limiting to activate fraudulent eSIM profiles. Detection maps to SIM change velocity monitoring, identity-verification strength at the point of SIM change, and anomaly alerting when a number receives inbound OTP traffic immediately after a SIM change.
• OSS/BSS exfiltration and ransomware. The OSS/BSS layer holds the complete subscriber record — billing, payment, identity, usage history, device details, and in some architectures the authentication database itself. An adversary who compromises the OSS/BSS layer can exfiltrate millions of subscriber records in a single operation. The same layer is also the target for ransomware operators: encrypting billing and provisioning systems creates immediate service and revenue impact, maximising extortion leverage. Access paths frequently run through third-party vendor support channels — managed-services partners with persistent remote access that is rarely subject to the same authentication and monitoring standards as internal staff.
• DDoS on network edge and lawful intercept exposure. Volumetric DDoS targeting a telco's network edge degrades service quality for thousands of downstream customers simultaneously and can affect the operator's ability to fulfil lawful intercept obligations — a legally sensitive failure mode in a regulated environment. Separately, lawful intercept systems themselves represent a high-value target: compromise of the intercept management system would allow an adversary to redirect or suppress court-ordered intercepts, or to add unauthorised intercept targets. Physical access to tower sites or exchange infrastructure amplifies both risks by enabling passive tap and equipment tampering.

Mapping the telco attack surface — from customer portal to cell site

A telco security assessment must cover the full architecture, not just the internet-facing perimeter. The six layers below define the scope nCrypt applies to network operator engagements:

nCrypt's network penetration testing scope covers the customer portal, OSS/BSS API surface, signaling interfaces, and partner peering points. Physical site security — tower access controls, cable management, equipment tamper-evidence — is included in full-scope operator engagements.

SOC, threat intelligence, and incident response built for network operator scale

Telco security operations differ from enterprise SOC in two material ways: scale and criticality. An operator's network generates several orders of magnitude more security-relevant events than an enterprise of equivalent revenue — CDR flows, signaling interface traffic, network element syslog, and subscriber authentication events collectively represent a data volume that cannot be processed by traditional enterprise SIEM rules without significant tuning. And the consequences of a missed event are different: a compromised lawful intercept system, an SS7 attack actively tracking a subscriber, or a ransomware encryption of OSS provisioning systems is not a contained IT incident — it is a regulated operator's core function under attack.

nCrypt's SOC service for telcos is scoped for this environment. Detection content covers SIM-swap velocity anomalies (abnormal SIM change rates per agent, per retail location, or on specific high-value numbers), CDR access anomalies (bulk subscriber record access outside normal operational patterns), OSS/BSS privileged session monitoring, signaling anomaly alerting (where the operator has deployed a signaling firewall or monitoring probe), and physical access event correlation from tower and exchange CCTV and access-control systems. Escalation runbooks are pre-cleared for MCMC and NACSA notification, so that the first hour of a major incident is spent on containment, not governance.

Threat intelligence for telcos has a distinct profile. SS7/Diameter threat actors, SIM-swap fraud rings, DDoS-for-hire services targeting operator infrastructure, and adversarial activity on eSIM provisioning surfaces are telco-specific intelligence requirements that generic threat feeds do not adequately cover. nCrypt curates telco-relevant intelligence from GSMA, regional CERT networks, and commercial signaling-security intelligence sources, delivered in operator-operational formats rather than generic indicator dumps.

The incident response retainer for telcos is pre-positioned with scenario runbooks for CDR exfiltration, signaling abuse, insider SIM-swap campaign, lawful-intercept system compromise, ransomware on OSS/BSS, and coordinated physical-plus-cyber attack. MCMC and NACSA notification timelines are mapped and pre-approved within the retainer documentation, so that regulatory obligations are not being researched during the first 24 hours of an active incident.

Frequently asked questions