Situation
A UK-based national mobile network operator serving millions of subscribers relied on a complex mix of 2G, 3G, and 4G infrastructure to deliver nationwide voice, SMS, data, roaming, and IoT services. While newer 5G deployments were underway, a significant portion of critical services - including fallback voice, signalling, roaming interconnects, and machine-to-machine connectivity still depended on legacy network technologies.
These legacy environments included:
- SS7/Diameter signalling networks
- Circuit-switched core components
- Legacy VPN and remote-access mechanisms
- Vendor equipment with long lifecycle support windows
Over time, security controls have evolved unevenly across technologies and vendors, creating visibility gaps and inconsistent protection levels.
Recognising the increasing global threat activity in telecommunications, the operator quickly wanted to assess risk exposure across its legacy mobile environment.
At a glance
Organisation: UK mobile network operator
Sector: Telecommunications
Situation: A major mobile operator relied on mixed 2G/3G/4G legacy infrastructure to support critical nationwide
services
Challenges: Legacy signalling, access, and visibility weaknesses increased risks of fraud, interception, disruption, and
systemic compromise.
Solution: NCC Group delivered telecom-specific legacy security testing, access model reviews, threat-led assessments, and monitoring evaluations.
Results: The mobile operator had greater cyber risk visibility, reduced high-risk exposures, strengthened segmentation, authentication, monitoring, and overall resilience.
Challenge
Legacy telecommunications networks present a fundamentally different risk profile compared to IT environments.
Key risk factors identified:
Area
2G/3G signalling
Interconnect & roaming
Legacy protocols
Operational access
Long-lived infrastructure
Visibility gaps
Risk
SS7 weaknesses enabling interception, tracking, fraud
Exposure to untrusted external networks
Lack of encryption or authentication by design
Vendor and engineer remote access pathways
Systems not designed for modern threat models
Limited logging and security monitoring
During initial conversations with NCC Group’s specialist telecommunications security team, we identified concerns including:
- Potential signalling abuse leading to subscriber tracking or SMS interception
- Weak segmentation between legacy core and newer IP environments
- Historic access paths that no longer met modern security standards
- Risk of a targeted attack disrupting national mobile services
A compromise of legacy telecom systems could lead to:
- Nationwide service disruption
- Fraud at scale (SMS, roaming, voice)
- Subscriber privacy breaches
- Regulatory penalties and reputational impact
The operator decided to partner with us to deliver a telecom-specific security assessment – this is something that goes above and beyond a traditional IT penetration test.
Solution
Our telecommunications cyber security team delivered a structured ‘Legacy Network Security Testing Programme’ across 2G, 3G and 4G domains.
1. Legacy Network Security Assessment
Focused testing of:
- SS7 and Diameter signalling exposure
- Interconnect and roaming interfaces
- Core network trust boundaries
- Legacy service platforms and gateways
This identified protocol-level weaknesses, misconfigurations, and exposure paths that could be abused by telecom-aware threat actors.
2. Access & Trust Model Review
Assessment of:
- Remote access into legacy core environments
- Vendor and support connectivity
- Privilege and authentication controls
- Segmentation between operational and corporate domains
This reduced the risk of an attacker pivoting from IT into telecom infrastructure — a growing global attack pattern.
3. Threat-Led Testing of Legacy Components
Using telecom-specific adversary techniques, NCC Group’s team evaluated the potential for:
- Signalling misuse
- Service disruption scenarios
- Abuse of legacy control-plane functions
- Fraud enablement vectors
This sector specific approach reflected how real telecom attackers operate — not simply the most prevalent or generic threats affecting all organisations.
4. Monitoring & Detection Capability Review
Legacy networks often lack modern detection tooling. The programme assessed:
- Logging coverage in 2G/3G/4G elements
- Ability to detect signalling abuse
- Incident response readiness for telecom-layer attacks
Gaps were identified and prioritised for remediation.
Results
Our team helped the operator, for the first time, to achieve a clear, risk-based understanding of its legacy telecom exposure.
Key outcomes:
- Identification of high-risk signalling and interconnect weaknesses
- Reduction of legacy access pathways that could enable lateral movement
- Improved segmentation between corporate IT and mobile core networks
- Strengthened authentication and encryption across critical interfaces
- Enhanced monitoring visibility in previously opaque areas
Most importantly, the operator reduced the likelihood of a catastrophic telecom-layer compromise, such as:
- Large-scale service outage
- Mass subscriber privacy breach
- Signalling-driven fraud incidents
“Legacy networks remain fundamental to how many international mobile operators deliver their services,. They weren’t designed for the threat landscape of today.
Through our targeted, telecom -specific legacy security testing, we’re helping the operator move from reactive security to a preventative, risk -led approach. Our client is reducing their systemic exposure across 2G, 3G and 4G, strengthening the resilience of their national mobile services, and they’re significantly improving readiness to detect and respond to cyber attacks.”
Philip Marsden | Telecommunications Security Consultant - NCC Group
NCC Group’s Telco Attack Testing Tool
Identify your exposure, understand real attack paths, and reduce the risk of service disruption, fraud, and large-scale privacy breaches.