MoTIF Techniques

The adversaries may monitor radio interface traffic to passively collect information about the radio network configuration or about subscribers in close vicinity of the adversary.

Adversaries may gather information about the victim's identity that can be used during targeting.

Adversaries may search and gather information about victims from closed sources that can be used during targeting.

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting.

Adversaries may analyze telecom network protocols to identify vulnerabilities, misconfigurations, or opportunities for exploitation.

Adversaries may buy, lease, or rent infrastructure that can be used during targeting.

Adversaries may build capabilities that can be used during targeting.

Adversaries may obtain specialized telecom testing equipment to analyze and exploit telecom networks.

The adversary may get access to the target network via the interconnection interface.

The adversary may access the target network by exploiting signalling (i.e. control plane) protocols.

Adversaries may use the radio access network to initiate attacks towards the UE or the mobile network.

Adversaries may breach or otherwise leverage organizations who have access to intended victims.

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Adversaries may exploit vulnerabilities in management interfaces of telecom equipment to gain initial access.

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries on telecom network elements.

Adversaries may abuse container technologies used in telecom cloud infrastructure to execute malicious code.

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing.

Adversaries may manipulate accounts to maintain access to telecom network elements.

Adversaries may modify network configurations to maintain access to telecom networks.

Adversaries may exploit vulnerabilities in telecom network elements to gain higher privileges.

Adversaries may manipulate access tokens to gain higher privileges in telecom systems.

Adversaries may attempt to manipulate parameters in the control signalling to make them appear legitimate or benign to mobile subscribers, end nodes and/or security tools.

The adversary can disguise its signalling messages in order to avoid detection and blocking of their attacks.

Adversaries may obfuscate their traffic to avoid detection by telecom security systems.

The adversary can collect several types of user-specific data. Such data include, for instance, subscriber identities, subscribed services, subscriber location or status.

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

Adversaries may attack SIM cards to access authentication keys and other credentials.

An adversary may discover operator network related information (identifiers).

An adversary may obtain a subscriber permanent or temporary identifier via various means.

An adversary may query the Network Repository Function (NRF) to discover restricted Network Function (NF) services to further target that NF.

Adversaries may discover the topology of telecom networks to identify targets for further attacks.

Adversaries may exploit trust relationships between telecom network elements to move laterally.

Adversaries may exploit remote services to move laterally within telecom networks.

An adversary may obtain a subscriber permanent or temporary identifier via various means.

The adversary can collect several types of user-specific data. Such data include, for instance, subscriber identities, subscribed services, subscriber location or status.

Adversaries may sniff network traffic to capture information about an environment, including authentication material, base station configuration and user plane traffic passed over the network.

An adversary may obtain the UE location using radio access or core network.

Adversaries may collect data from network repositories such as subscriber databases.

Adversaries may use telecom signaling channels for command and control.

Adversaries may use management interfaces for command and control of compromised telecom systems.

Adversaries may exfiltrate data over telecom channels.

Adversaries may exfiltrate data over alternative protocols to avoid detection.

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

Adversaries may disrupt telecom services to affect availability.

Adversaries may manipulate network traffic to affect service delivery or intercept communications.