The problem, as I see it, is that telcos have simply way too many silos and technologies in use to even begin to understand their entire attack surface. I don’t think the Lawful Intercept functions on the devices that are likely compromised are even capable of sending logs to a SIEM. It’s a black box that only a small subset of people at the telco work with and law enforcement has essentially automated access to it once a warrant (or warrantless) wiretap commences.

What if the bespoke hack the CSO is describing is something like backward serialization of a circuit emulation method or some other tunneling technology leveraging a legacy protocol? There’s all kinds of crazy shit in telco networks with lots of capabilities, lots of which go unused. The folks securing those networks do not understand the devices and protocols well enough to ask the right questions, probe the right directions, get the right people to do the right things…

Combine all that with what’s typically an adversarial relationship between security teams and the people building and operating the network and you get a nice shit soufflé waiting to be eaten by APTs.

It was reported long ago that foreign adversaries had compromised telco and financial networks so deeply that they would likely never be eradicated. I don’t think the situation has improved much.

So far…