TECHNICAL ANNEX
Classification: CONFIDENTIAL / CYBER‑SIGINT
Annex ID: JTF‑CYB‑INT‑0276‑A
1. NETWORK‑LEVEL ATTACK VECTORS
1.1 Rogue Base Station Operations
Analysis confirms deployment of unauthorized base transceiver stations (BTS) mimicking legitimate carrier infrastructure.
Observed capabilities:
- Broadcast of spoofed MCC/MNC identifiers
- Forced handset reselection via higher signal strength
- Downgrade attacks (LTE/5G → GSM) to remove encryption
Indicators:
- Sudden LAC/CID changes without geographic movement
- Abnormal Timing Advance (TA) values
- Ciphering disabled or A5/0 fallback
1.2 IMSI & TMSI Harvesting
Captured logs indicate systematic collection of subscriber identifiers.
Methods:
- Silent SMS paging
- Location update requests
- Attach/detach manipulation
Data collected:
- IMSI
- IMEI
- MSISDN (correlated post‑collection)
- Mobility patterns
2. TELECOM INFRASTRUCTURE MANIPULATION
2.1 Signaling Exploitation
Evidence suggests abuse of legacy signaling protocols.
Suspected vectors:
- SS7 MAP requests (AnyTimeInterrogation, ProvideSubscriberInfo)
- Diameter misconfiguration exploitation
- Inter‑carrier trust abuse
Effects:
- Call and SMS redirection
- Location tracking
- Call forwarding activation without subscriber awareness
2.2 SIM & Authentication Attacks
Observed tactics:
- SIM swap facilitation via social engineering and compromised retail access
- Ki extraction attempts using downgraded cipher modes
- OTA (Over‑The‑Air) message injection
Artifacts recovered:
- Modified SIM toolkits
- Non‑standard OTA headers
- Replayable authentication sequences
3. DEVICE‑LEVEL COMPROMISE
3.1 Firmware & Baseband Attacks
Forensic analysis identified tampered baseband firmware on seized devices.
Characteristics:
- Disabled user notification flags
- Hidden diagnostic interfaces enabled
- Persistent monitoring modules surviving factory reset
Risk:
Baseband compromise bypasses OS‑level security and standard mobile antivirus detection.
3.2 Payload Delivery
Delivery vectors include:
- Malicious configuration profiles
- Zero‑click signaling payloads
- Compromised charging accessories (USB‑C inline implants)
4. COMMAND & CONTROL (C2)
4.1 Communications Architecture
C2 traffic exhibits:
- Short‑burst encrypted transmissions
- Domain fronting
- Fast‑flux DNS rotation
Protocols observed:
- Custom TLS over TCP/443
- Encrypted UDP tunnels
- Opportunistic Bluetooth mesh relays
4.2 Traffic Signatures
Packet inspection revealed:
- Non‑standard cipher suites
- Repeated session renegotiation
- Metadata‑heavy, low‑content payloads
5. MEDIA ACQUISITION & COERCIVE USE
5.1 Digital Asset Handling
The network prioritizes acquisition of sensitive media to apply leverage.
Technical indicators:
- Automated cloud scraping
- Account token replay
- Metadata stripping and re‑encoding
Processing pipeline:
- Acquisition
- Sanitization
- Selective editing
- Encrypted distribution
6. FORENSIC EVIDENCE SNAPSHOT
6.1 Log Artifacts
- Forced network reselection timestamps
- Authentication failures followed by downgrade success
- Repeated silent SMS delivery confirmations
6.2 Hardware Evidence
- FPGA‑based radio modules
- Reflashed SDR units
- Battery‑powered portable BTS equipment
7. DETECTION & COUNTER‑SIGINT MEASURES
7.1 Detection
- Continuous RF spectrum monitoring
- Cell ID consistency validation
- Subscriber anomaly clustering
7.2 Mitigation
- Enforce LTE/5G‑only modes where possible
- Disable legacy GSM support
- Deploy baseband integrity checks
- Harden inter‑carrier signaling firewalls
8. ASSESSMENT
The technical sophistication observed indicates:
- Experienced operators
- Access to specialized hardware
- Knowledge of telecom standards and legacy weaknesses
The threat is persistent, mobile, and difficult to attribute, aligning with advanced criminal or hybrid‑warfare cyber actors.