Zimbabwe and regional technology news and updates

Nyaradzo logo

Latest on SIM card hack: NetOne and other MNOs weren’t under surveillance

SIM cards
SIM cards
image credit:

Yesterday we talked about the cyber-security attack on Gemalto, the security company and tech contractor that provides SIM cards to the majority of mobile network operators in the world, including local networks like NetOne.

Gemalto released a press statement today, sharing the results of its own investigation into the matter.

According to the security firm’s investigations, there is room to believe that the attacks referenced in the Snowden leaks occurred because of intrusions that Gemalto observed on its networks in 2010 and 2011.

The biggest relief for mobile networks like NetOne is that according to Gemalto, the security breach only extended to its office networks and couldn’t have resulted in the theft of a massive number of encryption keys.

The attacks were specific and targeted at mobile network operators in Afghanistan, Yemen, India, Serbia, Iran, Iceland, Somalia, Pakistan and Tajikistan.

Interestingly, Gemalto has stated that in the case of a key theft having occurred, America’s NSA and the UK’s GCHQ would only be able to spy on communications on 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack.

In terms of risks associated network security that would mean that Zimbabwean networks are exposed. The majority of our network infrastructure is still 2G and in the third quarter of 2014 the three mobile networks (NetOne, Econet and Telecel) actually increased the 2G imprint when they acquired a total of 75 new 2G base stations. 

Gemalto has stated that none of its other products (the company also deals in IDs, credit cards, and passports) were compromised and even referenced a secure transfer system that had been put up by 2010 to guard against the sort of breach that was outlined in the document that opened up the whole story.

Part of the statement from Gemalto is available below. You can get the full version from the Gemalto website.

As a digital security company, people try to hack Gemalto on a regular basis. These intrusion attempts are more or less sophisticated and we are used to dealing with them. Most are not successful while only a few penetrate the outer level of our highly secure network architecture.
If we look back at the period covered by the documents from the NSA and GCHQ, we can confirm that we experienced many attacks. In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation. In June 2010, we noticed suspicious activity in one of our French sites where a third party was trying to spy on the office network. By office network we mean the one used by employees to communicate with each other and the outside world. Action was immediately taken to counter the threat.

In July 2010, a second incident was identified by our Security Team. This involved fake emails sent to one of our mobile operator customers spoofing legitimate Gemalto email addresses. The fake emails contained an attachment that could download malicious code. We immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used. During the same period, we also detected several attempts to access the PCs of Gemalto employees who had regular contact with customers.

At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation. These intrusions only affected the outer parts of our networks – our office networks – which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.

While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.