Commentary about the exercises from Russian Telegram channel ЗаТелеком (Following Telecom) [1]. Found through link on Meduza.io<p>Google Translate with some manual editing for clarity by me.<p>1: <a href="https://t.me/zatelecom" rel="nofollow">https://t.me/zatelecom</a><p># 1: <a href="https://t.me/zatelecom/13046" rel="nofollow">https://t.me/zatelecom/13046</a><p>"I got and decoded some materials from today's meeting of the Ministry of Digital Affairs on the exercises. Something tells me either a closed regime or not closed regime will be announced, but we won’t be able to get access either way. So, feed on some rumors. Let it be rumors from me. After [sunglasses] are my additions, probably mocking, will always follow. Based on what I heard and the slides, I can draw two additional conclusions:<p>the Internet is impossible to understand and nobody understands what needs testing;<p>️ THEY'RE CONFUSING the law “on sustainable Runet” and the law “on critical objects of information infrastructure”. These are different laws, each living in its own sandbox, this confusion has been going on since the very beginning of the draft law “on a stable Runet”<p>️️️ Some slides (for some reason labeled Positive Technologies):<p>⏰ On December 16 and 17, exercise scenarios were worked out to ensure the stability and integrity of mobile radiotelephone communications for the SS7 and Diameter protocols<p>All four federal mobile operators participated in the exercises. As part of the exercises, 18 attack scenarios were worked out for each operator - 12 through signal networks 2/3 of the SS7 generation and 6 through signal networks Diameter<p>️ The attacker was able to successfully carry out 62.5% of attacks through SS7 and 50% through DIameter
The average attack detection time was about 2-3 minutes<p>During the exercise, all scenarios were completed in full. Testing out the scenarios for each operator was about 6 hours. On average, working out one scenario took about 20 minutes. [sunglasses] Grains of corn fried by each curator were eaten about 800 grams each. Drunk 24 liters of coffee. 46.5 kg of cookies consumed<p>LEARNING RECOMMENDATIONS<p>To increase the effectiveness of warning, detecting and blocking attacks through signaling networks on the side of the telecom operator, it is necessary to provide:<p>1️⃣ Attack detection tools through the SS7 and Diameter signaling networks, which will allow timely detection of attacks on individual mobile subscribers and the operator’s infrastructure<p>2️⃣ Telecommunication equipment settings that prohibit signaling messages that are not used to establish communications between operators, but can be used to conduct attacks on networks of telecom operators<p>3️⃣ Procedures and security tools that allow you to quickly block ataui through signal networks<p>4️⃣ Periodic external signaling network security audits<p>5️⃣ Leave the market if points 1-4 were as unexpected for the operator as for representatives of the Ministry of Digital<p>CONCLUSIONS ON THE RESULTS OF THE EXERCISES<p>In the Russian Federation, it is necessary to create a regulatory framework and a unified system for collecting and analytically processing information about attacks through signaling networks on the infrastructure and subscribers of mobile telecom operators, as well as connecting it to the State SOPKA [2/3 slide picture from 4 positions OPERATORS -> UNIFIED SYSTEM -> GASOPOK]<p>[sunglasses] Also in the Russian Federation, it is necessary to create a regulatory framework, to create a unified system for collecting and analytically processing information about attacks on WordPress and PHPNuke, as well as connecting it to GosSOPKA<p>[sunglasses] Also in the Russian Federation, it is necessary to create a regulatory framework to create a unified system for collecting and analytical processing of information about attacks on active switches, as well as connecting it to the State SOPKA<p>[sunglasses] Also in the Russian Federation, it is necessary to create a regulatory framework, to create a unified system for collecting and analytical processing of information about viruses sent to e-mail boxes, as well as connecting it to GosSOPKA"<p># 2: <a href="https://t.me/zatelecom/13053" rel="nofollow">https://t.me/zatelecom/13053</a><p>"About yesterday's "exercises." Again. Well, because in the morning the calls started again and the cart was breaking. Let me write here once, so I don't have to get up six times.<p>1. These were no "exercises." The circus that Sokolov arranged in the Ministry of Socks [Ministry of Digital Development, Communications and Mass Media of the Russian Federation ~Editor] is at most an "interagency meeting." Any military man will tell you that "Exercises are combat training activities, where the troops solve tasks on the ground in conditions that are closest to combat, large-scale comprehensive training operations."<p>And in the ministry they held a MEETING. That's all.<p>2. Hysterical squirrels rush about the Internet with stories that "everything broke !!! aaaa !!!". Say hello to them.
In fact, of course, the two dozen morons sitting in the office could not break anything. First of all, who would let them, the morons, onto real networks?<p>3. The proof that all those who gathered for the “exercises” are first-class morons was that when they were talking nonsense about the “18 attack scenarios”, nobody laughed. Everyone sat with serious faces and nodded their heads.<p>I'll explain: "attacks through the SS-7 protocol" is about telephony. Not about the Internet. SS-7 (aka OKS-7) is, roughly speaking, the protocol by which signaling data for dialing is transmitted. The fact that we have not heard for a hundred thousand years that someone “broke the phone number” tells us that the telephone operators are working and the holes (yes, there were holes) were closed. Well, the figure of 62.5% of successful attacks, firstly, tells us that in two-thirds of the calls we could not get through, and secondly - how, tell me, from 12 attacks the figure could be 62.5%? ? Is this a successful attack in 7.5 cases out of 12?<p>Further, Diameter protocol is likewise not related to the Internet. Google what Diameter is already. Hint: This is a service authorization-authentication-accounting protocol that is used in IMS networks. This applies to mobile communications and IP telephony. To IP-telephony, in short. But not to the internet. Well, half of the successful attacks tell us that these numbers were obtained "at a training ground", which was set up by bungling dumbasses, or simply thought up.<p>4. I want to remind you that there is no "sovereign runet". It was not built. And the forecast for the "construction" of this crap is 5 years, minimum. Look: for the first year they will only work on a sub-law and write a technical assignment. Then for two more years they will work out the engineering solution. Which will become obsolete exactly at the beginning of implementation. And then they will implement it for another three years - Rostelecom only has seven macro-regions and 79 branches. Just to bring equipment to everyone is already an impossible task for assholes from the offices. And it, equipment, also needs to be installed, commissioning, acceptance, testing, signing of acts ... Well, trust me - RTK can delay projects for decades ... I can say exactly the same thing about other "very large operators" . And it didn’t get into a fucking little thing - imagine a box designed by the morons from the offices.<p>Therefore, I repeat, any failures on the networks can be justified by anything, but not by “sovereign runet”.<p>Enough hysteria!"