Danish cybersecurity agency releases threat assessment warning of increased state-sponsored cyber espionage activities targeting the telecom sector in Europe
In what is technically the first public warning by a European government agency, the Danish Agency for Society Security or Styrelsen for Samfundssikkerhed (SAMSIK) has raised the threat of cyber espionage against the Danish telecoms sector from “medium” to “high” in its latest report. This is due to increased activity from state-sponsored hacker groups against the European telecoms sector. Since the agency’s last cyber threat assessment for the telecoms sector, the threat picture for the telecoms sector has become more serious. As a result, telecoms and ISPs in Denmark must also be aware of attempted cyber attacks from foreign states, according to the agency.
In addition, it said the threat was raised for destructive cyber attacks against Denmark to “medium” in June 2024 and for cyber activism to “high” in January 2023. Both threat levels levels also apply to the telecoms sector. The threat from cybercrime to the telecoms sector also remains “very high”, including from ransomware attacks.
In the past, cyber espionage has mainly targeted telecoms providers in Asia and the Middle East, but now it is also increasingly targeting telecoms providers in Europe. The report highlights China, Russia and Iran as foreign states that “continuously use their cyber capabilities to carry out cyber espionage against the telecoms sector worldwide”. This is mainly because through cyber espionage against telecoms and internet service providers, they can gain access to large amounts of data about customers’ use of the provider’s infrastructure, including call data, internet traffic, customer data and location data.
The report says states are interested in this type of data because it can be used to monitor the communication and travel activities of individuals or groups of people. For example, China continuously attempts to monitor the Chinese diaspora in general and dissidents in particular, including minorities such as Uyghurs and Tibetans.
In addition, states can use stolen customer data from the telecoms sector to launch further espionage against customers they find interesting. This could be, for example, technical interception of telephone numbers belonging to politicians or dissidents abroad that the state may have an interest in following and spying on.
In addition to gaining access to telecoms and ISP customer data, foreign states can also use cyber espionage against the telecoms sector to prepare for destructive cyber attacks or physical sabotage. For example, SAMSIK estimated that some of the cyber espionage by Russian state hackers against critical infrastructure in Denmark is aimed at preparing destructive cyber attacks.
Intellectual property
The agency points out that the Danish telecom sector can also become attractive espionage targets for states if they develop or use modern technology or if they have knowledge and intellectual property that are attractive economically or technologically. SAMSIK pointed to January 2024, when US authorities indicted seven Chinese citizens on charges including economically motivated cyber espionage against US targets on behalf of the Chinese intelligence service, the Ministry of State Security. According to the indictment the espionage was aimed at targets in the telecoms sector, including a leading supplier of 5G network equipment.
SAMSIK said it believes that the use of telecommunications and network equipment and operational services from countries with which Denmark does not have security cooperation may pose a greater security risk than the use of equipment from countries with which Denmark cooperates. This is partly due to the fact that some states have the option of ordering companies to assist the country’s intelligence services – the agency cites China as an example here.
Destructive attacks
The agency noted Russia has long had the capacity to carry out destructive cyberattacks against Denmark. However, since the beginning of 2024, Russia has shown a greater willingness to take risks in using hybrid means with destructive effects against European NATO countries. SAMSIK believes that this increased risk appetite also includes the use of destructive cyber attacks.
It goes on to say Russian tools for doing so cover methods and capabilities of a political, informational, military and economic nature and, in addition to cyber attacks, also include the ability to jam radio signals and sabotage critical infrastructure. “In general, Russia uses hybrid means more systematically, extensively and aggressively than any other country in the world,” it warns.
