There is plenty of intelligence that can be gathered from call data records if you know where to look. Spy agencies have been doing it effectively for years.
Last week we learned via an SEC 8K filing that data has once again been stolen from AT&T. In this instance, the information was call data records (CDRs), which were purloined by threat actors between April 14 and April 25, 2024, from an “AT&T workspace on a third-party cloud platform.”
According to the filing, “records of customer call and text interaction that occurred between approximately May 1 and October 31, 2022, and then again on January 2, 2023” were exfiltrated.
Most of us are familiar with CDRs being used in criminal cases, and such has been featured on enough prime-time crime dramas to make it part of the investigative vernacular — “Did you look at the phone data?” We understand that the data may show a connection between a victim and a perpetrator. This is all of that and more, so much more.
You don’t have to be a long-in-the-tooth former intelligence officer to fully understand the value that the identified data can provide to a nation-state, criminal organization, or an unscrupulous competitor.
Call data record information isn’t trivial
CDRs, sometimes referred to as metadata, have been a key component in the national security conversations in the United States and Europe for decades. It is no secret that the National Security Agency (NSA) finds great value in the information. In 2016, the Proceedings of the National Academy of Sciences (PNAS) published a study that provides details for those unfamiliar with the topic, a useful primer.
A quick internet search for tools capable of analyzing CDRs generates pages and pages of ubiquitous solutions. In May 2024, Penlink shared a list of seven non-traditional uses for call detail records that explain how such data can be mined for insight: geo-fencing analysis, network mapping (relationships between given numbers), behavioral pattern recognition; temporal analysis; travel patterns, fraud, and cold case resolution.
The key takeaway about CDRs is that it is easy to determine whether two telephone numbers are in communication with each other. But there’s much more to be gleaned than just the frequency with which two numbers connect: CDRs also provide the ability to determine geolocation (from communication tower IDs in some instances), service providers, frequency of use, on/off periods, etc.
Results from these various analyses will most certainly be of use to targeting officers within a nation-state’s intelligence apparatus. It doesn’t take a leap to understand how a criminal or terrorist entity may want to conduct this same type of analysis.
Call data records can be abused by unscrupulous competitors
For the unscrupulous competitor, the data can provide a plethora of insight into the travel patterns of the competition’s customers. Are they burning the midnight oil? Where are they communicating from? Who are the key players (insiders)?
In other words, a competitor could derive great insight from the data. Data analyzing tools of old were sufficiently impressive, yet now with the advent of artificial-intelligence-enhanced capabilities, interconnection and relationships can be painted with great precision.
These “found numbers” can then be divined, as AT&T noted in their filing: “While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”
Criminals and terrorists find call data records very useful
The utility of this type of data to criminal and terrorist organizations is self-evident. It can be used as an internal vetting tool and an external targeting tool. Unlisted numbers can easily be associated with known numbers and, if geofenced, the location of a given target and their patterns can be deduced.
Nation-states have long been using CDRs in their offensive intelligence work, as well as in their counterintelligence efforts — this is not hypothetical. One need only look at APT10 and APT31 to understand how China has been successfully targeting telecommunications companies for years, going after this same type of data.
The FBI issued wanted posters in 2018 for two members of the APT10 team, Zhu Hua and Zhang Shilong. The group, highlighted as being associated with the Chinese Ministry of State Security (MSS), successfully purloined data over the course of 12 years.
This group’s activities were dissected in some depth by Cyberreason. According to the company’s researchers, APT10 stole:
- The source, destination, and duration of calls, which can allow the collation of interpersonal or inter-organizational connections
- Device details, identifying the devices being used
- Physical location data with geographic locations useful for collating travel patterns
- Device vendor and versions that identify service providers and operating systems versions, providing reference points for future individualized attacks
Fast-forward to March 2024 and we see the US Department of Justice highlighting the work of China’s APT31 group, which “targeted thousands of US and foreign individuals and companies.” The DoJ charged seven Chinese nationals, all associated with China’s MSS, for their efforts across 14 years of engagement.
Their targets? “US and foreign critics, businesses, and political officials in furtherance of the PRC’s economic espionage and foreign intelligence objectives.” They successfully compromised many entities, and in addition to emails and other data sets, their haul included telephone call records.
AT&T provides opinions and assurances that all is well
These two examples serve to provide a rationale as to why so many Western governments took steps to keep China’s Huawei out of the new 5G rollouts, as their presence would have made the collection of CDR data child’s play for China’s intelligence services.
AT&T opined to the SEC that it “has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations.”
And to cover its fanny completely, AT&T stressed that the DoJ had opined on May 9 and again on June 5, 2024, that the delay in public disclosure was warranted, as AT&T is working with law enforcement.
The filing with the SEC notes that AT&T “understands that at least one person has been apprehended. As of the date of the filing, AT&T does not believe that the data is publicly available.”
While we will have to allow the dust to settle, it apparently bears repeating that insider risk management programs must include an education component that promotes use of checks and double checks to protect user-associated data.
“The recent AT&T breach highlights significant insider risk factors related to the unauthorized access and exfiltration of call detail records,” Dennis Dayman, CISO of Code42 Software, told CSO.
“While cyber threats are ever-evolving, the risk imposed by the human element remains a constant,” said Dayman, whose company provides insider risk protection. “Insider risk is one of the biggest security challenges posed by the unpredictable nature of employees, partners, and contractors who are trusted to handle sensitive corporate data and IP daily.”
According to Dayman, such risks might not initially appear to be a high priority, but they can quietly proliferate, causing downstream consequences. “Though insider risk is not new, it has become more prevalent over the past few years with the inception of remote-first distributed workforces, increased use of collaboration tools, and high-risk digital behaviors.”
If you can’t protect data, don’t collect it
I agree with Dayman that this loss may be viewed as ho-hum if we just read the AT&T SEC filing, and for those who are AT&T subscribers inside and out of government I pray such is the case. That said, my “spidey sense” tells me this loss is anything but ho-hum.
Code42’s research has revealed that a single insider-driven data exposure, loss, leak, or theft event could cost companies as much as $15 million in financial losses, according to Dayman. “Though the full repercussions from the recent AT&T breach are still evolving, they represent a clear hit to the company’s reputation and customer trust,” he says.
My instinct, call it jaded analysis if you will, indicates that the targeting of telcos will continue. Indeed, this instance was not the only incident involving AT&T. In April 2024, AT&T revealed that they lost data on 73 million of their customers, which included personal identifying information.
This isn’t just an insider risk realized, these losses of information may result in persons and entities being more directly targeted in countries where AT&T has a footprint, and individuals being placed in extraordinary danger. Large gaps in nation-state targeting mosaics can be filled with CDR data.
My plea to all is that if you can’t or won’t protect the data, please don’t collect the data.
More by Christopher Burgess:
