Criminal groups have been sending threatening messages in the past couple of months to companies that manage broadband phone services all over the world, promising they’ll flood the digital phone lines with traffic and take them offline unless the targets pay a ransom.
What those extortionists have discovered is that the number of phone calls that take place at least partially over the internet has quietly and dramatically increased in recent years — and there’s a lot at stake when major providers go down.
Like landline providers, companies that manage digital phone calls, also known as Voice over Internet Protocol (VoIP) services, are required to transmit audio in real time, facilitating personal, business and even emergency calls.
It’s probably a bigger part of our lives than many people realize. It’s much cheaper and often more accessible and scalable, a staple of working from home during the coronavirus pandemic. Small companies and people living overseas might have been using purely digital phone lines for years to reach customers, friends and family abroad. Large carriers and telecommunication companies often use VoIP to handle calls or connections between providers, while smaller carriers are routing tens of thousands of simultaneous calls over the internet. Call center companies handle over 1 million digital calls a day.
But if those companies that manage digital phone lines come under attack by a tsunami of fake callers, the behind-the-scenes mechanisms for beaming voices online begins to crumble fairly quickly.
“The challenge is that when you put all of the phone system on the internet, it exposes it to all of the other things that can go wrong on the internet,” says Matthew Prince, CEO and co-founder of Cloudflare, a company that provides protection against the kinds of attacks currently hitting internet phone providers.
Prince and other security providers who focus on digital communications started noticing an uptick in attacks on VoIP services this fall. Specialists on forums for network operators started posting about the attacks, discussing what to do.
“In layman’s terms, people are freaking out,” says Fred Posner, a VoIP security specialist.
While providers’ themselves are mostly keeping quiet about these attacks, issuing terse email updates and sometimes social media posts to inform their customers about repeated outages, the security experts working with them are noticing a collective shift in mindset. Several of the experts interviewed by NPR agreed that the digital telecommunications industry was unprepared for this latest onslaught and has been forced to rethink their defensive strategy in a hurry. It’s not just the big banks or major corporations in the sights of criminal hackers — it’s everyone and anyone who can and will pay to get their businesses back online.
“I think the point that we’re at right now is what we see is that there’s a sort of huge spectrum in terms of preparedness: from organizations that don’t know about the problem and are prepared, to organizations that know about the problem but aren’t able to invest or are willing to invest because they don’t think it relates to them,” says Jen Ellis, vice president of community and public affairs for cybersecurity firm Rapid7 and who also served on the Ransomware Task Force, a public-private sector collaboration.
That collective panic kicked off when the digital communications provider Bandwidth.com got hit by a digital extortion campaign in late September, Posner says. Previous attacks had targeted smaller providers, but Bandwidth became the biggest company to suffer a DDoS, or “distributed denial of service,” attack. While companies like Bandwidth expect a certain amount of legitimate traffic from users trying to make calls and send text messages, a DDoS attack involves bad actors directing a gargantuan number of illegitimate digital requests to its servers, overwhelming their ability to respond.
“I spent my career building big chunks of internet infrastructure, and I’m here to tell you that the internet really is just a series of tubes and those tubes have a certain amount of capacity,” says Prince of Cloudflare.
The criminals involved in these recent VoIP attacks are financially motivated. But unlike when major companies like Colonial Pipeline were hacked and held ransom, these attackers don’t actually have to hack into their targets to hold their services hostage. Merely weaponizing digital traffic is enough to at least temporarily disrupt a company’s ability to operate.
According to Allan Liska, an intelligence analyst at threat intelligence firm Recorded Future, this method of combining ransom threats with DDoS attacks, has been around since at least 2019. Back then, the extortionists often didn’t follow through on their threats to pummel victims with illegitimate traffic, because it was tough to reach the volume of signals required. “They weren’t actually backed up,” he says. But in recent months, some of these criminals have realized it doesn’t actually take that much traffic to disrupt the specialized protocols involved in transmitting audio in real time.
The internet wasn’t initially designed to be a conduit for real-time voice, text and video communication, according to the security experts. That’s because, in order to have a seamless conversation, each bit of audio has to arrive at exactly the right time or the conversation won’t make sense — whereas a website’s contents can load in any order. When you speak into the receiver to make a digital call, the audio is translated into tiny packets of digital information and then transformed back on the receiver.
Sandro Gauci, a security expert who helps communications companies patch flaws in their systems, says a digital call requires approximately one packet of data to be sent around every 20 milliseconds for a phone call to function properly.
“As soon as you have a little bit of downtime, the system stops working right … and since it’s meant to be real time, this is a huge problem,” Gauci says. “Our clients, if they are service providers, they are really concerned about denial of service because it makes them lose money every second their system is down.”
That’s exactly what the attackers have figured out how to do.
“It’s continuing to escalate,” says Liska. “And you know, one of the things about cybercriminals is they’re copycats. If you see something that works very quickly, other groups are going to copy it.”
Based on interviews with experts responding to these attacks, as well as a ransom note provided to NPR, attackers have falsely claimed to be part of well-known hacking groups such as Russia’s Fancy Bear, which security firms had connected to 2016 U.S. election interference activities, and REvil, a now infamous criminal ransomware group. Liska notes this is a popular tactic to convince victims that their tormentors are legitimate and make them more likely to pay.
“They are adopting names of well-known threat groups in the hopes of inspiring more fear,” he says.
While providers have not shared information about whether they have considered paying ransoms to the attackers, many have had at least temporary success recovering from the attacks. But that doesn’t mean the disruptions haven’t had real impacts already.
Chet Wisniewski, principal research scientist at the security firm Sophos, moved to Vancouver, Canada, years ago and decided to switch to using VoIP full time in order to connect with friends and family in a more affordable way. Over the past couple weeks, he has seen an error screen on his handset, sometimes for hours at a time.
“Like everyone else, you know, we all rely on our mobile phones,” Wisniewski says. “And I can’t imagine the disruption, you know, to a business that relies on this service if their phones are unreliable for their sales teams and tech support and things like that. It’d be a real disaster.”
The worst impact of a major telecommunications disruption would be the inability to call emergency services. Security experts tell NPR that at least some of the disruptions to major broadband providers have had a limited impact on 911 calls. The communications sector is listed by the Department of Homeland Security’s cyberagency, CISA, as a part of critical infrastructure because it serves an “enabling function” to connect businesses, individuals, emergency services and governments, particularly in a crisis.
“Gosh, if there were going to be a kinetic war with an adversary — Russia, North Korea, Iran, whatever — look how fragile this is that some probably teenage kids with a botnet are able to take out major communication providers and demand ransoms from them,” Wisniewski says. “What if it was a sophisticated, well-equipped adversary like a nation-state could wipe out our communication in minutes?”
The FBI was given the authority in recent years to disrupt botnets, which are essentially zombie armies of compromised devices that attackers use to flood their victims with traffic. It’s possible those kinds of authorities would be helpful in going after these criminal groups. Reportedly, AT&T announced it has “taken steps to mitigate” a botnet that targeted thousands of VoIP servers within its network, though it’s unclear whether that botnet was designed to launch denial of service attacks or for another purpose.
However, finding the extortionists is a real challenge. Most of the criminal groups demanding ransoms from broadband providers want payment in the digital currency Bitcoin to help cloak their identities.
Posner, the VoIP expert, says he’s been thinking a lot over the past month about what needs to be done to defend the communications sector.
“First of all, clearly there needs to be some law enforcement,” he says. “These attacks are clearly violating existing laws, and there are few, if any, arrests or repercussions from these attacks. So it would be great if there could be some dedicated resources to help protect our infrastructure.”
On the other side, companies are going to have to come up with a response plan. “From my end, it seems that more preparation is necessary,” says Gauci, the security expert.
“More testing security testing is important,” he says, “because you want to know where you stand and if your security protection mechanisms are actually working and if they are introducing new problems for you or not, and how you are able to recover.”