Communications Infrastructure

Critical gap analysis: 23 Tier-1, 31 Tier-2, 8 Tier-3 findings | 14 visualization recommendations

1.2B
Mobile Connections
17
Submarine Cables
520M
APT41 Exposed
2M+
VSAT Terminals
CRITICAL
Huawei/ZTE Unresolved
85%
Mumbai Cable Risk
400M+
5G Connections
50-100K
Satphone Terminals

PART A: Telecom Vendor Exposure

Telecom Vendor Exposure by Circle

Mumbai
40%
Delhi NCR
50%
Kolkata
60%
Chennai
35%
Andhra Pradesh
70%
Karnataka
55%
Maharashtra
80%
Gujarat
55%
Tamil Nadu
45%
Rajasthan
70%
UP East
85%
UP West
75%
Bihar
95%
Madhya Pradesh
85%
Punjab
35%
Haryana
45%
Kerala
25%
Odisha
80%
Assam
90%
Jammu & Kashmir
60%
Himachal Pradesh
50%
Northeast
105%
Critical (50%+)
High (35-49%)
Medium (20-34%)
Low (<20%)
Threat Actor Comparison

APT41 Campaign Timeline (2016-2026)

BSNL Breach (2016-19)
200M
Subscribers Exposed
Airtel Breach (2021)
320M
Subscribers Exposed
Smishing Campaign
100M+
SMS Phishing Targets

Subscriber Exposure by Operator

BSNL (APT41): 200M (CRITICAL)
Airtel (APT41): 320M (CRITICAL)
Vi (ZTE Risk): 50M (HIGH)
Jio (5G Vuln): 100M (MEDIUM)
Others: 30M (LOW)

5G Security: Improvements vs Residual Risk

Increase
Decrease
Total
CRITICAL: Despite 5G security improvements, legacy protocol compatibility (SS7/Diameter), NFV hypervisor vulnerabilities, and GUTI identifier reuse result in significant residual risk.

PART B: Submarine Cable & Internet Backbone

India Submarine Cable Architecture

12.8 Tbps24 Tbps40 Tbps10 Tbps5 TbpsDOMESTICDOMESTICBACKBONEMUMBAI CLSCHENNAI CLSSEA-ME-WE 4SEA-ME-WE 5AAE-1IEXFLAGTATA COMMRELIANCEBHARATNET
Primary
Secondary
External
17
Total Cable Systems
8
Mumbai Concentration
85%
Risk Score

Mumbai CLS Attack Cascade

💥MUMBAI CLS ATTACK
🔌CABLE DISRUPTION
SEA-ME-WE 4 Down
SEA-ME-WE 5 Down
AAE-1 Down
IEX Down
🏠DOMESTIC FAILURE
Mumbai IXP Failure
Banking Network
Cloud Services
CASCADE EFFECTS
SWIFT Disruption
AWS/Azure Outage
Emergency Comm
Primary Actor
Subsidiary
Individual

CDN Concentration (US Jurisdiction)

akamai
cloudflare
aws
google
azure
Mumbai
95
80
90
70
60
Delhi
60
85
85
75
65
Bangalore
55
75
90
80
70
Chennai
50
65
75
60
55
Hyderabad
45
70
80
65
60
Kolkata
40
55
65
50
45
0
100
WARNING: All major CDNs (Akamai, Cloudflare, AWS, Google, Azure) are subject to US legal jurisdiction and potential decryption-at-edge orders.

Five Eyes Access Path

UK GCHQ Access
Tata Communications (UK-India) subject to UK IPA 2016 GCHQ access obligations. Legal interception authority with no Indian legal recourse.
US NSA UPSTREAM
Submarine cable consortiums subject to US FISA Section 702. All traffic through US-linked cable systems potentially accessible.
No Bilateral Protection
India has no bilateral security agreement with any FVEY member protecting Indian cable traffic from foreign intelligence collection.

PART C: 5G, Mobile Infrastructure & SIM Ecosystem

5G Architecture Attack Surface

NRN3HTTPLEGACYRANEDGE5G COREOSS/BSSHUAWEI RANNOKIA AIRSCALESS7/DIAMETEReSIM G+D/IDEMIASUPI GUTI REUSENFV HYPERVISOR
Primary
Secondary
External
Security Incidents: Timeline x Scale x Severity

SIM Swap Fraud Density by Region

north
south
east
west
central
Maharashtra
85
0
0
0
0
Delhi
0
0
0
90
0
Karnataka
0
95
0
0
0
Tamil Nadu
0
80
0
0
0
Gujarat
0
0
0
75
0
UP
0
0
70
0
65
West Bengal
0
0
60
0
0
Bihar
0
0
55
0
0
Rajasthan
50
0
0
0
0
Kerala
0
45
0
0
0
0
100
6,500+
Reported Cases (2022)
HIGH
Financial System Risk

eSIM Supply Chain Concentration

📱eSIM PROVISIONING
💳CHIP VENDORS
G+D (German)
IDEMIA (French)
THALES (French)
📡INDIAN OPERATORS
Jio (G+D)
Airtel (IDEMIA)
Vi (Thales)
BSNL (G+D)
⚠️VULNERABILITIES
GSMA RSP v2.2 Bootstrap
MITM Profile Download
eSIM Cloning Risk
Primary Actor
Subsidiary
Individual
CONCENTRATION RISK: All eSIM provisioning flows through foreign vendors (G+D Germany, IDEMIA/Thales France) with no disclosed security assessments. GSMA RSP vulnerability enables MITM attacks during profile initialization.

Critical 5G Vulnerabilities

GAP-06C-03
CVE-2017-5638
Airtel 2021 breach exploited 4-year-old Apache Struts2 patch. Structural vulnerability management failure.
GAP-06C-04
JN 5G 23.2.1
Jio 5G authentication bypass enabling SIM cloning at scale. Post-breach patching incomplete.
GAP-06C-06
SS7/Diameter
5G backward compatibility preserves 2G/3G signaling vulnerabilities. SS7 attacks remain viable.
GAP-06C-07
GUTI Reuse
5G-GUTI temporary identifier reused across sessions enabling long-term device tracking.
GAP-06C-09
EOL Systems
OSS/BSS running Windows Server 2008 and Oracle 11g. End-of-life platforms with no security patches.

PART D: Satellite Communications

Satellite Attack Surface

🛰️SATELLITE COMMS
📡VSAT HUBS
BSNL Hub (Internet-Facing)
HCL Comnet
AT&T India
🏦BANKING VSAT
IDRBT (12-15K branches)
Lazarus Target (2018-23)
🛡️DEFENSE VSAT
PMA Non-Compliant ODU
DVB-RCS Protocol Vuln
📞SATELLITE PHONES
Iridium (NSA Access)
Inmarsat (GCHQ Access)
Globalstar (NSA Access)
Primary Actor
Subsidiary
Individual
50-100K
Active Satphone Terminals
2M+
VSAT Terminals

GPS Dependency Cascade

1PPSSYNCNTPCIMATTACKGPS CONSTELLATIONGPS TIMINGTELECOM SYNCFINANCIALPOWER GRIDDEFENSE C4IBANKING/ATMGPS SPOOFING
Primary
Secondary
External
DEMONSTRATED: April 2025 GPS spoofing against Indian C-130J confirms electronic warfare capability. GPS-dependent timing for telecom synchronization and financial settlement represents cascading failure vector.

Foreign Control Risk Matrix

CAT-1: Confirmed SIGINT Access
CAT-2: SIGINT Obligation

ASAT Capability Development Timeline

PLASSF
SPACE/CYBER/EW
Unified Command
GPS Spoofing
DEMONSTRATED
April 2025 C-130J
GSAT
KINETIC IMMUNE
GEO Protected

Critical Findings Requiring Immediate Action

CRIT-01: APT41 Confirmed Access
200M BSNL + 320M Airtel subscribers compromised. No effective containment. Victim notification and remediation unresolved 5+ years later.
CRIT-02: Satphone Gateway Access
ALL satellite phone traffic (50-100K terminals) routed through NSA/GCHQ-accessible gateways. No mandatory usage restrictions.
CRIT-03: Mumbai CLS Concentration
8 submarine cables at single Mumbai location. Coordinated attack eliminates majority of international connectivity.
CRIT-04: Huawei/ZTE Policy Gap
No mandatory equipment removal timeline. Security concerns acknowledged but unaddressed since 2019-2020.
CRIT-06: SS7/Diameter Persistence
5G backward compatibility preserves 2G/3G vulnerabilities. SS7 attacks remain viable against 5G networks.
CRIT-07: VSAT Hub Exposure
VSAT hub network management systems connected to public internet. Lazarus Group demonstrated targeting of banking VSAT.

Critical Intelligence Gaps

Tier-1 (Immediate)
  • • Jio 5G core security assessment
  • • Huawei/ZTE operational extent
  • • CERT-In Airtel breach findings
  • • Mandatory removal policy status
  • • Mumbai CLS failover plans
Tier-2 (Near-Term)
  • • Vi 5G security posture
  • • eSIM provisioning assessments
  • • BSNL OFC backlog quantification
  • • VSAT hub security assessments
  • • RPKI deployment coverage
Tier-3 (Medium-Term)
  • • Vi 200M data leak verification
  • • BSNL APT41 forensic review
  • • Satphone usage policy
  • • Jio manufacturing verification
  • • CDN edge node jurisdiction