Skip to main content

Cyberattacks on 4G/LTE Telecom Networks: Threat Mapping and Defense

Cover image

Article Metadata

Ecosystem Fit

This page mirrors the original Medium article into the 1200km.com Docusaurus ecosystem. The original article flow, images, screenshots, infographics, and technical blocks are preserved from the export.

This research provides an in-depth analysis of cyber threats targeting LTE telecom core networks, mapping real-world and theoretical attack techniques to the MITRE ATT&CK and FiGHT frameworks. It includes practical detection methods and mitigation strategies, tailored specifically for Ericsson systems and infrastructure.

Article image

Introduction

Telecommunications providers are prime targets for cyberattacks, from nation-state espionage to criminal fraud. Modern mobile networks (4G LTE EPC and 5G core) carry critical voice and data traffic, making any compromise potentially devastating. This report analyzes known and theoretical threats across the end-to-end connection flow — from user equipment (UE) through the Radio Access Network (RAN) and Core, out to the Internet. We map each threat to specific network functions and interfaces (e.g. S1-MME in 4G, N2/N3 in 5G, SGi/N6 towards the internet, etc.), and align adversary tactics with the MITRE ATT&CK® framework and the MITRE FiGHT™ 5G threat framework. Real-world examples (nation-state APT campaigns, criminal exploits, insider abuse) are included alongside theoretical attack models. For each stage, we discuss how adversaries execute attacks, how to detect them using logs (including Ericsson event logs) and monitoring tools (SIEM, NIDS, DPI), and how to prevent or mitigate these threats. The analysis is tailored to Ericsson’s infrastructure where applicable, highlighting relevant security features and best practices.

Threats in 4G LTE/EPC Connection Flow

A 4G/LTE network’s Evolved Packet Core (EPC) comprises functions like the Mobility Management Entity (MME), Serving Gateway (SGW), Packet Gateway (PGW), Home Subscriber Server (HSS), and Policy and Charging Rules Function (PCRF). Key interfaces include the radio link (Uu) between UE and eNodeB, S1-MME (control plane between eNodeB and MME), S1-U (user plane between eNodeB and SGW), S6a (MME–HSS via Diameter protocol), S11 (MME–SGW), S5/S8 (SGW–PGW GTP tunnel), SGi (PGW–Internet), and Gx (PGW–PCRF via Diameter). Below, we break down the connection process into stages and map threats at each stage.

Article image

Stage 1: Access Network (UE to eNodeB via Uu)

Threats & Techniques:

In the RAN stage, adversaries may target the wireless link and base station. A common threat is the use of rogue base stations orIMSI-catchers: fake eNodeBs that trick nearby phones into connecting, forcing them to reveal their IMSI (subscriber ID) or downgrade security. Classic IMSI-catchers broadcast a stronger signal to lure UEs and then issue an identity request to collect IMSIs, impersonating a legitimate cell towereff.org.

Article image

This enablesLocation Trackingof subscribers in real time by obtaining IMSI/TMSI and cell infop1sec.comp1sec.com. In some cases, attackers can even causedowngrade attacks(forcing devices from LTE to insecure 2G/3G) to intercept calls or SMS (since GSM has weaker or no encryption)eff.orgeff.org.

Another threat isRadio jamming— flooding the air interface with noise to deny service. Jamming can target LTE synchronization or control signals, knocking UEs offlinefight.mitre.org. These attacks primarily threaten availability (DoS) and user privacy.

They align with MITRE ATT&CK techniques for network denial-of-service (e.g.,Network DoS — T1498for jamming) and credential/access collection (IMSI catching for tracking). In MITRE FiGHT, IMSI-catcher and rogue base station attacks are documented as well (e.g., obtaining subscriber identifiers) under tactics like Network Access or Collection. An adversary setting up malicious base stations or sniffing unencrypted radio data exemplifies**Network Sniffing (ATT&CK T1040)if they capture data, and can be seen asNetwork Service Discovery/Scanning (ATT&CK T1046, FiGHT FGT1046)**if scanning for network signals or vulnerabilities in RANfight.mitre.org.

Article image

Adversary Exploitation:

To execute an IMSI-catcher attack, an attacker (often using hardware like a software-defined radio) configures a fake cell site that advertises as a legitimate network (possibly pretending to be an MNC/MCC that UEs trust).

Article image

The fake eNodeB may initially accept connections without enforcing encryption, then send a**“Identity Request”message causing the UE to respond with its IMSIeff.orgeff.org. The rogue node can then drop the connection or pass the UE back to the real network — by that time it has “caught” the IMSI (and thus identified the subscriber)eff.orgeff.org. More advanced malicious base stations may performdowngrade**: jamming LTE bands to push UEs onto 2G, then acting as a false 2G BTS to intercept calls/SMS (since 4G itself uses strong mutual authentication and encryption post-attach, direct interception is not feasible without downgrade)eff.org. Jamming attacks are simpler — an attacker uses a radio transmitter to emit continuous or modulated noise on LTE frequencies, disrupting the UE’s ability to communicate with genuine towers (a broadDenial of Serviceon the RF layer).

Detection:

Detecting rogue base stations and jamming requires both network and handset monitoring.Ericsson RAN and core event logscan reveal anomalies: for instance, frequent attach/detach in one area, or repeated authentication failures could hint that a fake cell is forcing reattachments. Although IMSI-catcher activity might not directly generate explicit MME logs (since the rogue tower may never forward anything to the core), network operators can look for unusual Tracking Area Update patterns orsuspicious location updates(e.g., a UE appearing to move rapidly between far-apart locations) which might indicate false location reporting. Specialized solutions (like IMSI-catcher detectors or RF spectrum monitoring) can flag unknown cell IDs or abnormal broadcast parameters.NIDS/DPIsystems are less effective at the RF layer, but on the core side a SIEM can ingest UE event logs (e.g.,security mode command failures, attach rejects) to spot trends. Ericsson’s OSS/BSS tools and O&M logs might showRRC/NAS events; for example, manyAttach Requestmessages with unassigned or suspect identifiers could signal an attack. In the providedEricsson event log sample, events related to authentication or privacy could be correlated – e.g., an unusual spike in"Privacy Check"or IMSI-related messages might be visible. While the sample log primarily shows Diameter events, a security analytics system could similarly ingest RAN events to detect anomalies.External RF monitoring toolscan detect jamming by measuring signal noise levels and failed connection attempts. From a MITRE perspective, detecting these falls under**Detection of Valid Accounts Misuse (if using known credentials)**or anomaly detection for ATT&CK techniques like T1040 (sniffing) and FiGHT techniques for radio-layer attacks.

Prevention & Mitigation:

Preventing IMSI catching and rogue base stations involves both standards-based security and operational measures. In LTE, one mitigation is enablingEPS-AKA with identity protection— typically, networks avoid sending IMSI in clear by using temporary IDs (TMSI/GUTI); however, if the network does request IMSI, 3GPP standards cannot fully prevent a fake cell from eliciting it.**5G introduces SUCI (Subscription Concealed Identifier)**to encrypt IMSI over the air, so encouraging subscriber upgrades to 5G where possible mitigates this threat. Ericsson’s 5G networks implement IMSI encryption by designericsson.com, preventing easy IMSI capture. To combat rogue base stations, operators can maintain lists of authorized cell sites and use base station authentication (e.g.,digital certificates for base stations, though not widely deployed in LTE).Downgrade protectioncan be implemented by disabling fallback to insecure 2G/3G where feasible or alerting if a device unexpectedly leaves 4G coverage frequently. Against jamming, mitigation is challenging — using directional antennas, spread-spectrum or frequency hopping techniques (part of 4G/5G design to some extent) can improve resilience. Operators should have redundant coverage so that if one cell is jammed, neighboring cells can serve users (and use Ericsson’s self-organizing network features to adjust power/coverage dynamically). Additionally, law enforcement can be engaged for persistent jamming incidents to locate and remove the source. Overall, segmentation of the RAN (e.g., using secure gateways for base station backhaul with IPSec) ensures a rogue with just RF access cannot easily pivot into the core network. These measures, combined with user education (encouraging use of VoLTE/5G-only modes when possible), reduce the risk of RAN-layer attacks.

Stage 2: Core Network Attach & Authentication (S1-MME, S6a Interfaces)

Once a UE connects to a legitimate eNodeB, it initiates anattach procedure. The eNodeB (RAN) communicates with the MME over the S1-MME interface (using S1AP over SCTP). The MME then authenticates the subscriber via HSS (over S6a, a Diameter-based interface). This stage is rich in signaling and thus a target forsignaling-based attackson the control plane.

Threats & Techniques:

A major threat here is aSignaling Storm or Attach Flood— where an adversary floods the MME with a high volume of attach requests or bogus signaling messages to overwhelm its processing capacity (Network DoS — ATT&CK T1498.001: Direct Network Floodcenter-for-threat-informed-defense.github.io). For example, a botnet of compromised IoT devices or UEs could simultaneously send repeated attach/detach or authentication requests, consuming MME and HSS resources. Researchers have noted that an attacker controlling a few UEs or a rogue femtocell could send many false requests (e.g. using fake or stolen IMSIs) to overload the MME/HSS, leading to denial of service for legitimate usersjournals.riverpublishers.comjuniper.net.

Article image

Another threat in this stage isexploitation of control-plane protocol vulnerabilities. The S1AP protocol or MME software might have implementation bugs — a crafted S1-AP message or malformed NAS packet could potentially crash the MME (a form of exploitation aligning with ATT&CKExploitation for DoS (T1499)or more generallyExploitation of Remote Services (T1210)if code execution). Similarly, if the Diameter interface (S6a) is misconfigured, adversaries from other networks might send malicious Diameter messages.Diameter attacksinclude sending false Update-Location or Cancel-Location messages (to detach users or reroute their service), or rapid authentication queries to burden the HSS/MME. Since Diameter often lacks encryption or proper filtering between roaming partners, attackers can performsubscriber information disclosureandfraudvia this channelp1sec.comp1sec.com. For instance, a rogue roaming partner or an intruder with access to the IPX network can query subscriber data (IMSI, location) or even issue rogue commands to change subscriber profiles. This abuse of inter-operator trust corresponds toMITRE FiGHT technique FGT5016 (Abuse of Inter-Operator Interfaces), reflecting that attackers can leverage roaming interfaces (Diameter/SS7) to gather info or disrupt servicefight.mitre.org. Real-world criminal groups have exploited SS7 (the 3G predecessor to Diameter) to intercept OTP SMS by issuing location and routing requests for target numbers, illustrating the risk on Diameter tooeff.orgcyble.com. AnInsider threatis also pertinent at this stage: a malicious or bribed insider (with access to core management systems) could directly query HSS for subscriber data or disable certain security features. Such insider activity would map toValid Accounts (T1078)orEndpoint Admin Compromise, but its effect shows in this stage by bypassing normal attach controls (e.g., whitelisting a device or SIM without authorization).

Adversary Exploitation:

To conduct an attach flood, an adversary might use a modified firmware or malware on UEs to send continuous attach requests, or operate a rogue base station that generates fake UE identities en masse. The MME, seeing what looks like a massive surge of new UEs, tries to authenticate each — causing a cascade where the HSS is bombarded with authentication vector requests and the MME’s NAS signaling processing is maxed outjournals.riverpublishers.com,juniper.net. In a lab test, it was shown that flooding the MME with even a moderate rate of bogus sign-in requests can degrade service or crash itndss-symposium.org. For Diameter attacks, an attacker with access to the Diameter signaling network (often via compromised roaming partner systems or by purchasing access to an interconnect) can send crafted messages. For example, they could use a tool (like the publicly knownSigPloithttps://github.com/SigPloiter/SigPloitfor SS7/Diameter exploitation) to send aDiameter Update Locationfor a subscriber, causing the real MME to think the user moved to a different network — potentially forcing a detach. They may also exploit misconfigurations: many operators still do not enforce Diameter TLS/IPSec, relying on implicit trustp1sec.com. Attackers abuse this by sendingDiameter messages with spoofed identitiesor unexpected AVPs to extract data or confuse state. As P1 Security reports, misconfigured Diameter allows attackers to obtain IMSIs, subscriber addresses and even intercept communications by triggering fallbacks (e.g., sending a message to downgrade a 4G session so it can be tapped via SS7)p1sec.comp1sec.com. In an observed case, Chinese APT groups (e.g. operation “Soft Cell”) compromised telco servers and could query subscriber databases for Call Detail Records and credentialscybereason.comcybereason.com— essentially using stolen admin access to exploit these interfaces from the inside.

Article image

Detection:

Signaling anomalies are often detectable by core network logs and performance counters. An Ericsson MME generates events for attach attempts, authentication failures, and overload conditions. If aSIEM aggregates Ericsson MME logs, it may detect a spike inAttachRequestorAuthInfoRequestevents beyond normal thresholds. Ericsson event logs include categories such asPrivacy CheckorAnalytical Processingalerts – a surge in these could indicate possible misuse of signaling (for instance, manyCmYangProvider Privacyevents might suggest repeated attempts to access subscriber data).MME overload alarmswould also trigger if attach floods occur. NIDS sensors placed at the S1-MME interface (if feasible) could detect abnormal SCTP packet rates or unusual message types. DPI systems specialized for telecom can decode S1AP and NAS messages and generate alerts if, say, too many attach attempts from one eNodeB or invalid message formats (indicative of fuzzing) are observed. For Diameter, aDiameter IDS/DPI(often part of a Diameter firewall) can log and alert on unusual Diameter commands or those from unexpected sources. The GSMA’s roaming security recommendations (FS.19) suggest monitoring for suspicious patterns like location requests not matching known roamers. In practice, analyzing the logs forrapid-fire Location Update messagesorerrors like DIAMETER_UNKNOWN_PEERcan reveal unauthorized activityp1sec.comp1sec.com. Ericsson’s core products often supportDiameter message auditing; those logs should be fed to a SIEM. The sample log shows an entry “Diameter Message” with millions of events – a security analyst would baseline typical volumes and flag deviations (e.g., a 10× jump in location lookup messages might mean a malicious script is scraping subscriber info). To catch insiders, correlate logins to HSS or core management systems with unusual data queries (e.g., an admin account pulling thousands of subscriber records at odd hours). Combining data from telecom-specific logs and IT logs in a SIEM can thus expose an attack.

Prevention & Mitigation:

Protecting the control-plane signaling requires capacity hardening and strict filtering.MME Hardening: Ericsson MMEs implement features like signaling storm control and connection throttling — ensure these are configured to rate-limit attach attempts from single eNodeBs or UEs. For example, if a UE fails authentication repeatedly, the MME can delay further attempts from it. Enablingoverload controlas per 3GPP (which allows eNodeBs to back off when MME signals congestion) is crucial.S1 Interface Security: Use IPsec tunnels between eNodeB and MME where possible (many operators do this) to prevent rogue insertion and to authenticate legitimate base stations. Ericsson’s networks support IPsec on backhaul and control interfaces, which helps ensure only known eNodeBs can send S1AP.Diameter Security: All Diameter links (S6a, Gx, etc.) should be protected by a Diameter firewall and encryption. Deploy aDiameter Firewall/IDSthat enforces the GSMA SS7/Diameter security recommendations (e.g., filter messages by whitelisted senders, validate message types and AVPs, rate-limit queries)p1sec.comp1sec.com. Ericsson offers Diameter signaling controllers that can serve as firewalls, dropping suspicious messages and preventing location-tracking attempts or malformed commands. Additionally, useend-to-end security for roaming: 5G networks introduce the Security Edge Protection Proxy (SEPP) for secure inter-PLMN signaling, and even in LTE, IPX providers now offer screening — operators should ensure their roaming connections adopt these protections. Regularly audit configuration: many Diameter attacks exploit misconfigurations, so using Ericsson’s configuration guidelines (for instance, ensuring encryption and proper peer authentication on S6a interfaces) will close holesp1sec.com.Authentication hardening: Implementing Subscription Concealed Identifiers (SUCI) and 5G-AKA even for LTE (via interworking) where possible could mitigate IMSI exposure if an attach attempts to force IMSI reveal.Insider threat mitigation: Enforce least privilege for core network admins and monitor their actions (with systems like Ericsson’s Security Manager, if available, which can log admin operations). Regularly rotate credentials and use multi-factor authentication to reduce the risk of an attacker using stolen or insider credentials to manipulate core systems. In summary, robustsegmentation(isolating core signaling networks),protocol filtering, andcapacity safeguardsform the prevention strategy for Stage 2 threats.

Stage 3: Session Setup and Management (MME/SGW/PGW in 4G — S11, S5/S8, Gx Interfaces)

After initial attach and authentication, the network establishes user session context. In LTE, the MME creates a default bearer by communicating with the SGW (via S11 GTP-C) and PGW (via S5/S8 GTP-C if the PGW is in the home network or different domain). The PGW interacts with the PCRF over the Gx (Diameter) interface to apply policy/QoS rules. This stage involves both GTP control messages (session creation, modification) and Diameter messages (for policy and charging).

Article image

Threats & Techniques:

On the GTP control plane, attackers may exploit theGTP (GPRS Tunneling Protocol) vulnerabilities. GTP has known design weaknesses: lack of authentication for certain messages and no built-in encryption or integrity, making it possible for an attacker with network access to spoof messagesbitdefender.combitdefender.com. One threat isSession Hijacking or Impersonation— an adversary could impersonate a legitimate network node by forging GTP-C messages. For example, an attacker connected to the operator’s core or a malicious roaming partner might send a**“Create Session”request to the PGW for an IMSI that is not actually attached, potentially tricking the PGW into allocating an IP and resources (fraudulent access)bitdefender.com. Conversely, an attacker could send a“Delete Session”for an active user’s bearer (if they can guess or learn the TEID — Tunnel Endpoint ID), causing a denial of service for that subscriber. Another risk isGTP resource exhaustion**: sending many fake PDP contexts to consume PGW/SGW memory or IP address pools (a variant of DoS). A more insidious attack isuser impersonation via roaming— as Bitdefender’s research noted, if the network doesn’t verify a subscriber’s actual location, a fake roaming network can claim a subscriber is attached under it and the home PGW may set up a session for thembitdefender.com. This could let an attackerfraudulently obtain data serviceon another’s subscription or bypass billing (MITRE ATT&CK has no specific telecom fraud technique, but this behavior combinesSpoofing Identity (T1110)andResource Hijacking). Indeed, tests of multiple operators showed all had some vulnerability to impersonation, fraud, or DoS via GTPbitdefender.combitdefender.com. On the Diameter Gx side, threats includePolicy Manipulation— an attacker who breaches the PCRF or its communications could change subscriber QoS or data limits (e.g., removing throttling or content filtering). If an adversary can send Diameter Gx messages (perhaps by compromising a test interface or using credentials of a third-party service provider connected to PCRF), they might grant unearned privileges or disrupt charging (causing revenue loss). Finally, there’sData-plane injection via control plane: by exploiting GTP, an attacker could attempt to redirect user traffic. For instance, sending a fakeUpdate PDP Contextwith a new endpoint could divert a user’s traffic to a malicious server (a form of man-in-the-middle). These techniques align with FiGHT framework entries like network slicing or session hijacking (though FiGHT classifies many as theoretical if not yet observed). In ATT&CK terms, they could be seen as**Man-in-the-Middle (T1557)orService Stop (T1489)**depending on effect (interception vs. kill connection). Real-world example: security assessments found that in 71% of tested mobile networks, it was possible to obtain subscriber TEIDs and internal IPs via GTP, enabling further exploits like intercepting user data or attacking that device on-networksecurity-gen.comsecurity-gen.com.

Adversary Exploitation:

To abuse GTP, the adversary typically needs access to the carrier’s internal packet core network or the inter-operator exchange (such as the GRX/IPX network used for roaming). A rogue roaming partner (or someone who has compromised one) can send GTP-C control messages to the home network’s GTP endpoints (SGW/PGW). Because GTP was historically based on trust, the home network might accept those messages if not properly filtered. Attackers can script tools to cycle through IMSIs and send Create Session requests for each — if accepted, this could allocate many bearers and IPs, amounting to free usage or exhaustion of addresses. In one documented scenario, attackers could impersonate subscribers and obtain internet access without payment — essentiallybilling fraud, by making the network believe the user is roaming on their network and routing traffic for thembitdefender.combitdefender.com. Another scenario: by knowing a target subscriber’s IMSI and approximate location, an adversary could send a GTP message to the home SGW pretending to be the eNodeB initiating a handover or new bearer, possibly hijacking the session (this is complex but proofs of concept exist). Attackers have also demonstrated sendingmalformed GTP-Upackets from the internet towards the SGi interface to see if the PGW will forward them into the mobile network (some misconfigured networks allowed this, exposing internal devices to attack)darkreading.comdarkreading.com. On the Diameter PCRF side, direct attacks are less documented, but an insider or malware on the PCRF could modify policies — e.g., give an attacker’s device a high-priority QoS or an “unlimited data” flag. If the PCRF’s communications are not secure, an attacker on the same network segment might spoof aRe-Auth-RequestorCredit-Control-Requestto alter charging.

Detection:

GTP anomalies can often be detected by aGTP-aware firewall or IDS. Many operators deploy GTP firewalls at the borders (between roaming partners and at the PGW). These devices log events like “GTP message from unauthorized source” or “invalid IMSI in GTP request”. Feeding such logs to a SIEM allows detection of, say, repeated GTP Create Session attempts for many IMSIs (potential scanning for valid subscribers). TheEricsson SGW/PGWthemselves also log session events; an unusual pattern such as rapid creation and deletion of bearers, or context setup failures, should raise flags. In the sample Ericsson log data, we see high counts of events related to Diameter and presumably control functions. If similar data for GTP were available, one might see a specific GTP error counter spike. ANIDS with GTP decoding(e.g., Snort with GTP preprocessor or specialized telco IDS) can alert on GTP messages that violate normal state machines (like a Delete Session for unknown session, etc.). DPI probes on the S5/S8 interface can watch forTEID collisions or mismatches. On the Diameter side (Gx), monitoring can include validating that all policy changes are initiated by the legitimate PCRF. If an attacker tries to inject a Gx command, it might cause inconsistencies — the PGW could log a PCRF connection error or unrecognized command.Ericsson’s PCRF logs(if accessible) would show who initiated changes; correlating those with approved change requests is key (this might require tying into OSS processes, beyond just SIEM). For user-level impacts like impersonation, one might detect an anomaly if two devices claim the same IMSI concurrently — HSS logs or PGW logs could show duplicate IP assignment or conflicting sessions. In summary, detection relies onprotocol-aware analytics: telecom event logs, augmented by third-party GTP/Diameter probes and correlation rules. For example, if a subscriber’s internal IP (from PGW logs) suddenly starts communicating from two different SGW addresses, that’s suspicious (possibly an impersonation)security-gen.com. SIEM correlation could catch such a condition.

Prevention & Mitigation:

GTP Securityis critical. Operators should deploy aGTP firewallat all network edges (between their core and other operators, and at the internet-facing side of PGW/UPF). This firewall should enforce sanity checks: only allow expected GTP-C messages from known peers (roaming partners’ IPs), drop any message with unexpected IMSI (e.g., an IMSI that doesn’t belong in the partner’s country/network code), and validate sequence and TEIDs. According to GSMA, checking the subscriber’s last known location before accepting certain requests is a good practicebitdefender.combitdefender.com— e.g., if a user is known to be in one country, don’t accept a session request from a far-away network without additional verification.Encryption/Authentication: While GTP itself lacks encryption, ensure the transport network (IPX or VPNs) is secure and consider GTP-in-GRE with IPSec for sensitive links. Ericsson’s packet core solutions likely support integration with such firewalls and already implement some GTP validation internally. Indeed, modern Ericsson SGW/PGW (and 5G UPF) come with hardened stacks that check for protocol correctness — but the admin must configure the firewall rules for IMSI ranges, rate limits, etc., according to GSMA FS.20 guidelines.Diameter/PCRF Protection: Similar to S6a, the Gx interface should be secured with a Diameter firewall. Only the home PCRF should send policy rules — the PGW should reject any Gx messages not coming through the authorized, authenticated connection. Use TLS/IPsec for Gx communications to prevent spoofing or MiTM. Also implementrobust PCF/PCRF access control: if third-party application functions can request policy changes (via exposed APIs), those should require strong authentication and be limited in scope.Session Monitoring: Employ signaling-level monitoring that can automatically drop suspicious sessions — for example, if an IMSI shows up with two simultaneous sessions in two far apart locations, have automation to terminate one and alert security teams.Resource quotas: Configure limits like “max bearers per IMSI” or “max sessions per SGSN/MME per minute” to contain floods. Many Ericsson EPC nodes allow such parameter tuning. On the human process side, ensure roaming agreements include security clauses (so partners commit to securing their networks — though an attacker might still appear as them if they are compromised). Forfraud prevention, complement technical controls with analytics: run billing records through fraud detection algorithms that spot unusual patterns (e.g., suddenly a subscriber from one country racks up data usage “roaming” in another country — could be impersonation). Finally, upgrade to5G SBA where possible(discussed next) because it introduces stricter authentication between network functions, though note that 5G inherits GTP for user plane in Non-Standalone mode and roaming scenarios, so GTP security remains relevant in 5G toobitdefender.com. By combining these mitigation strategies — GTP/Diameter firewalls, rigorous filtering, and continuous monitoring — operators can significantly reduce the attack surface at the session setup stage.

Stage 4: User Plane Communication (UE data traffic — S1-U and SGi Interfaces)

In this stage, the user’s IP traffic flows from the UE, through the eNodeB (over the GTP-U tunnel on S1-U to the SGW, and then to PGW), and exits to the public internet via the SGi interface (the connection between PGW and data network). While previous stages cover signaling, this stage concerns data payload and its exposure both within the carrier network and externally.

Article image

Threats & Techniques:

One set of threats involveseavesdropping or tampering with user data. If an adversary has managed to compromise a part of the network (or is an insider at the ISP side), they could sniff unencrypted traffic on the SGi interface or even within the EPC. For instance, user plane encryption in LTE typically exists only over the air interface (between UE and base station) but traffic on S1-U, S5/S8, SGi is often unencrypted IP. An attacker on those paths (say, who infiltrated the telco’s transport network or a router) could performpacket capture (MITRE ATT&CK T1040: Network Sniffing)to collect sensitive datamitre.ptsecurity.com. This is especially dangerous for plaintext protocols or if the attacker is after metadata (website accesses, etc.). There’s also risk ofdata manipulation— e.g., injecting packets into a user’s stream (if the attacker knows the TEID and IP addresses for GTP, they might craft a GTP-U packet with fake data). Another threat is from the internet side:Distributed Denial of Service (DDoS)attacks can target the mobile network infrastructure via user-plane. For example, a botnet on the internet might flood the public IP of a PGW with traffic, trying to overwhelm the PGW or its firewall (this aligns withATT&CK T1498 Network DoS). Alternatively, mobile UEs can be part of a botnet and generate outbound DDoS toward internet targets, which indirectly threatens the network by saturating SGi or radio resources.Insider or Malware on Core: If malware infects an SGW/PGW or a critical router, it could reroute or clone traffic (covert interception) — analogous to a man-in-the-middle. Real-world APT examples show telco insiders planting sniffers to gather politician’s phone call data (e.g., the “Athens Affair” wiretap incident involved rogue code on an Ericsson switch to copy conversations). While that example was 2G-era, the concept translates: an insider could enable port mirroring on a PGW or use diagnostic functions to capture user traffic surreptitiously.Interconnect attacks: On the roaming data paths, an attacker could abuse the GRX/IPX networks — e.g., inserting themselves to sniff international roaming traffic if those links aren’t encrypted. Lastly,lack of segmentationbetween enterprise IT and core networks could allow a foothold via IT malware to reach user-plane gateways; once there, the attacker could implant backdoors or createtunnels to exfiltrate datafrom subscribers (mapping to ATT&CK exfiltration or command-and-control techniques, like using standard protocols to hide malicious traffic — ATT&CK T1071 Application Layer Protocol, which FiGHT also notes can involve abusing telecom protocols for C2).

Adversary Exploitation:

A nation-state adversary might target the SGi interface by compromising an upstream router or internet exchange. For example, if not using secure protocols, an attacker could perform aBGP hijackto temporarily reroute traffic from the PGW to a server they control, enabling sniffing or injection — effectively a man-in-the-middle on a grand scale (this is outside the scope of pure telco infrastructure but has happened in other contexts). On a smaller scale, an attacker who gained remote access to the PGW (via a vulnerability or credentials) could turn on packet capture (most EPC nodes have this for troubleshooting) and collect user traffic (CDRs, DNS queries, etc.). There have been reports of APTs living inside telco networks for months, exfiltrating Call Data Records and even content of communicationscybereason.comcybereason.com— typically by abusing administrative tools on core elements. From the internet side, criminals might use reflection attacks to DDoS a PGW (though PGWs are usually not directly addressable except for GI firewall IPs). However, one notable user-plane threat is if an attacker knows a subscriber’s IP (which might be a public IP or reachable via APN), they could attack the device — e.g., scan or exploit an open port on a smartphone. This was more common when carriers gave out public IPv4 addresses; a worm could propagate phone to phone. Now with carrier-grade NAT and firewalls, it’s mitigated, but in IPv6 scenarios each handset has a public IP so it must rely on host-based firewall. Attackers might scan the mobile IP ranges (Network Scanning — ATT&CK T1046) to find vulnerable phones or IoT devices. Indeed, FiGHT FGT1046 covers adversaries scanning 5G infrastructure, but scanning can target users as wellfight.mitre.org. Once compromised, those devices can become bots that attack others or the network.

Detection:

For eavesdropping and MITM, detection is tricky because a passive sniffer leaves little trace. However, indicators might includeunexpected data forwarding paths: Ericsson’s analytics could detect if traffic that should go from PGW to a certain router is being diverted. NetFlow records can be used — if an insider sets up a span port, the volume of traffic on a monitoring interface might be noticeable. Another clue is if an attacker is using telecom protocols for C2 or exfiltration — for instance, malware could embed commands in DNS queries or use SMS/MMS channels to smuggle data. NIDS/DPI at SGi can detect patterns like a device sending large continuous streams to an odd external server (maybe data exfiltration from an IMSI). In our logs context, Ericsson’sMesh Controller - Authenticationevents or others might indicate an internal system misuse. If an SGW/PGW is accessed illegitimately, syslogs might show an admin session at an odd time or a suspicious command run (those would be captured by SIEM if integrated with O&M systems). For DDoS, the signs are clearer: traffic counters on SGi will spike.Ericsson’s performance managementemits KPI alarms if throughput or CPU on gateways hits thresholds. A SIEM receiving those or a NIDS seeing a flood (like many SYN packets to one IP) can trigger alerts. Many operators useDDoS protection systemson SGi that automatically detect and mitigate volumetric attacks – logs from those (e.g., “sybil attack detected on PGW IP”) should feed to security operations. Additionally, deep packet inspection can catch scanning: e.g., if a single external IP is trying sequential ports on many subscriber IPs, or one internal IP scanning outwards – those patterns can be identified by IDS signatures or flow analytics. The ATT&CK technique**T1040 (Network Sniffing)**can be detected by noticing network interface in promiscuous mode on a server (though on appliances like PGW that’s hard to see without host-based tools). So host intrusion detection on core nodes might help – checking for use of packet capture utilities or unusual processes. In summary, multi-layer monitoring (host-based on core nodes for insider actions, network-based for traffic anomalies) is required.

Prevention & Mitigation:

Encrypting user traffic end-to-endis ultimately the best protection — fortunately, many applications use TLS, so even if an attacker sniffs SGi, they might not get cleartext. But from the operator side, implementingIPsec on backhaul and core transportcan prevent outsiders from sniffing in transit. For instance, ensure S1-U (eNodeB to SGW) goes over secured tunnels (some networks do IPsec from base station to core). Within the core data centers, use network segmentation: PGW/UPF should be on a segment with limited access; sniffing there would require defeating internal security.Strict internal access controls— only authorized engineers should have login access to PGW/UPF, and they should use secure jump hosts with monitoring. All admin actions (like starting a trace) should be logged. Ericsson’s best practices include role-based access control and alarm generation if debug modes (like packet trace) are left running too long.GI Firewall and DDoS Protection: Deploy a robust firewall at SGi (often integrated with PGW or as an external appliance) to block unauthorized inbound traffic. This firewall should have anti-spoofing (so external hosts can’t send packets appearing to be from internal IPs and vice versa) and rate-limiting. Many Ericsson customers use third-party firewalls (or Ericsson’s own if offered) that can absorb or scrub DDoS traffic.Botnet mitigation: use anomaly detection to identify devices participating in botnets (for example, if a phone starts scanning, auto-quarantine that subscriber or throttle their connection). Some operators implement “walled garden” networks for infected devices — network can send the user to a captive portal until cleaned.Regular network auditscan find unauthorized monitoring hardware (e.g., a rogue span port or sniffer machine plugged in). At the IP layer, implementMACsec or other link encryptionon critical links (like between data centers) to thwart passive taps.User awareness: while beyond core network, encouraging customers to use device firewalls and keep software updated reduces risk of device compromise that leads to network abuse. From the perspective of MITRE ATT&CK, applyingNetwork Segmentation (D3FEND: D3-NETSEG)andEncrypted Channel (D3FEND: D3-ENC)principles help counter techniques like network sniffing and scanning. Ericsson infrastructure can leverage virtualization security too — for example, if the EPC is virtualized, ensure the virtualization platform has anti-snooping features (prevent one VM from sniffing another’s traffic). In conclusion, protecting the user plane means a blend ofhardening network edges (firewalls, DDoS mitigators),internal zero-trust (no open access to core traffic), andmonitoring for misuse. This limits opportunities for both external attackers and malicious insiders to capture or disrupt user data.

References:

Industry Standards and Frameworks

  • MITRE ATT&CK® Framework

  • MITRE FiGHT™ Framework

  • GSMA FS.19 Diameter Interconnect Security Guidelines

  • GSMA FS.20 GTP Security Recommendations

Research and Reports 5. Cybereason — Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers 6. P1 Security — Diameter & SS7 Security Reports 7. Positive Technologies — Telecom Security Threat Landscape Reports 8.ENISA Threat Landscape for 5G Networks 9. Bitdefender — Security Assessment of LTE Networks 10. Nokia Threat Intelligence Report — 5G Security

Ericsson Documentation 11. Ericsson 5G Security Whitepaper 12. Ericsson Diameter Signaling Controller Security Guide 13. Ericsson Mobility Management Entity (MME) Security Guidelines

Academic and Technical Papers 14. Khan, M.A., & Mitchell, C.J. (2018).*Security Issues in the 5G Network.*IEEE Communications Surveys & Tutorials, 20(4), 3516–3533. 15. Ahmad, I., et al. (2019).*Overview of 5G Security Challenges and Solutions.*IEEE Communications Standards Magazine, 3(1), 36–43. 16. Shaik, A., et al. (2016).*Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems.*NDSS Symposium.