intel 93 394 30 303 033

TECHNICAL ANNEX

Classification: CONFIDENTIAL / CYBER‑SIGINT
Annex ID: JTF‑CYB‑INT‑0276‑A

1. NETWORK‑LEVEL ATTACK VECTORS

1.1 Rogue Base Station Operations

Analysis confirms deployment of unauthorized base transceiver stations (BTS) mimicking legitimate carrier infrastructure.

Observed capabilities:

Broadcast of spoofed MCC/MNC identifiers
Forced handset reselection via higher signal strength
Downgrade attacks (LTE/5G → GSM) to remove encryption

Indicators:

Sudden LAC/CID changes without geographic movement
Abnormal Timing Advance (TA) values
Ciphering disabled or A5/0 fallback

1.2 IMSI & TMSI Harvesting

Captured logs indicate systematic collection of subscriber identifiers.

Methods:

Silent SMS paging
Location update requests
Attach/detach manipulation

Data collected:

IMSI
IMEI
MSISDN (correlated post‑collection)
Mobility patterns

2. TELECOM INFRASTRUCTURE MANIPULATION

2.1 Signaling Exploitation

Evidence suggests abuse of legacy signaling protocols.

Suspected vectors:

SS7 MAP requests (AnyTimeInterrogation, ProvideSubscriberInfo)
Diameter misconfiguration exploitation
Inter‑carrier trust abuse

Effects:

Call and SMS redirection
Location tracking
Call forwarding activation without subscriber awareness

2.2 SIM & Authentication Attacks

Observed tactics:

SIM swap facilitation via social engineering and compromised retail access
Ki extraction attempts using downgraded cipher modes
OTA (Over‑The‑Air) message injection

Artifacts recovered:

Modified SIM toolkits
Non‑standard OTA headers
Replayable authentication sequences

3. DEVICE‑LEVEL COMPROMISE

3.1 Firmware & Baseband Attacks

Forensic analysis identified tampered baseband firmware on seized devices.

Characteristics:

Disabled user notification flags
Hidden diagnostic interfaces enabled
Persistent monitoring modules surviving factory reset

Risk:
Baseband compromise bypasses OS‑level security and standard mobile antivirus detection.

3.2 Payload Delivery

Delivery vectors include:

Malicious configuration profiles
Zero‑click signaling payloads
Compromised charging accessories (USB‑C inline implants)

4. COMMAND & CONTROL (C2)

4.1 Communications Architecture

C2 traffic exhibits:

Short‑burst encrypted transmissions
Domain fronting
Fast‑flux DNS rotation

Protocols observed:

Custom TLS over TCP/443
Encrypted UDP tunnels
Opportunistic Bluetooth mesh relays

4.2 Traffic Signatures

Packet inspection revealed:

Non‑standard cipher suites
Repeated session renegotiation
Metadata‑heavy, low‑content payloads

5. MEDIA ACQUISITION & COERCIVE USE

5.1 Digital Asset Handling

The network prioritizes acquisition of sensitive media to apply leverage.

Technical indicators:

Automated cloud scraping
Account token replay
Metadata stripping and re‑encoding

Processing pipeline:

Acquisition
Sanitization
Selective editing
Encrypted distribution

6. FORENSIC EVIDENCE SNAPSHOT

6.1 Log Artifacts

Forced network reselection timestamps
Authentication failures followed by downgrade success
Repeated silent SMS delivery confirmations

6.2 Hardware Evidence

FPGA‑based radio modules
Reflashed SDR units
Battery‑powered portable BTS equipment

7. DETECTION & COUNTER‑SIGINT MEASURES

7.1 Detection

Continuous RF spectrum monitoring
Cell ID consistency validation
Subscriber anomaly clustering

7.2 Mitigation

Enforce LTE/5G‑only modes where possible
Disable legacy GSM support
Deploy baseband integrity checks
Harden inter‑carrier signaling firewalls

8. ASSESSMENT

The technical sophistication observed indicates:

Experienced operators
Access to specialized hardware
Knowledge of telecom standards and legacy weaknesses

The threat is persistent, mobile, and difficult to attribute, aligning with advanced criminal or hybrid‑warfare cyber actors.