Secret Service faces backlash over SIM farm bust as experts challenge threat claims

As a reminder, on Tuesdays and Thursdays, the bulk of our daily newsletter is available exclusively to paid subscribers.

Please consider upgrading your subscription so that you can enjoy Metacurity's original analysis and unparalleled cybersecurity news round-ups free of pesky firewalls. Plus, you will gain unfettered access to our archives and earn my undying appreciation for helping to keep Metacurity going. Thank you!

Want to bundle your premium subscription with a Metacurity sponsorship option? Gain exposure for your announcement, product, whitepaper, or event, and we'll toss in a paid subscription at no cost. Find out more about how you can reach an elite audience of cyber decision-makers.

Early in the morning on September 23, the US Secret Service (USSS) announced it had “dismantled a network of electronic devices located throughout the New York tristate area" that “were used to conduct multiple telecommunications-related threats directed towards senior US government officials, which represented an imminent threat to the agency’s protective operations.”

The USSS said it had found more than 300 co-located SIM servers and 100,000 SIM cards across multiple sites within 35 miles of the global meeting of the United Nations General Assembly in New York City. Matt McCool, the special agent in charge of the New York Field office, said that even though the USSS had been investigating the setup since the spring, “the timing, location, and potential for significant disruption to New York telecommunications" forced the agency to disrupt the network quickly.

“This network had the potential to disable cellphone towers and essentially shut down the cellular network,” McCool said. In its announcement, the agency said the tech cluster it found could have disabled cell phone towers across New York, New Jersey, and Connecticut, enabling denial of services attacks and facilitating anonymous, encrypted communication among potential threat actors and criminal enterprises.

The USSS also raised the specter of a nation-state threat actor using the technology, saying in its press release that “early analysis indicates cellular communications between nation-state threat actors and individuals that are known to federal law enforcement.” Some press reports repeated the notion that nation-state adversaries could have been behind the setup.

Adding to the urgency was the apparent fact that the facility came onto the Secret Service’s radar screen after the gear was exploited in swatting attacks that targeted US members of Congress.

However, within hours of the announcement, the story told by the USSS unraveled as experts cast doubt on the nature of what the agency found.

On Ycombinator’s Hacker News, posters began characterizing the setup as merely a SIM farm, akin to many others deployed by scammers throughout the world to defraud the public with phishing texts and emails. They accused the Secret Service of significantly overstating what it found.

One poster named wildzzz wrote

Oh lol, this is a scam site. Yes, there are potential other uses for a sim box but mostly they are used for VoIP purposes. It's honestly so hard reading quotes from the US government these days. Cartels, drugs, guns. They make it sound like they interrupted the staging of an assault on the UN when the article actually says that the locations were within 35 miles of the UN headquarters in NYC. This is a significant distance as it covers beyond the 5 boroughs, it's the "tri state area". Like 20M people live in that circle. I highly doubt this is for anything other than VoIP scams.

Another poster, kotaKat, wrote

Yup. This is literally just a cellular grey route site for some shitty VoIP provider, just like the SIM box SMS scams go marching on in other countries. Some operator is shitting their pants right now, probably.

The SIM cards come from cheap MVNOs that have dealer arrangements for cheap or free first month activations, then they just set up a handful of SIM boxes and a residential Internet connection back to the mothership (like they did at the captured house with the white Verizon 5G Home router just casually sitting on the floor next to the units).

Similarly, I’ve had some friends on US MVNOs themselves that have access to “free” international calling, yet every time they call (the same) international number the receiving party gets a wildly different caller ID from a wildly different country each time (Poland, Moldova, etc). Also dodgy SIM boxes!

As the day wore on, security professional TProphet, who writes the Telecom Informer for the highly regarded security publication 2600, posted a thread on BlueSky saying that “there is nothing about this infrastructure that would be hugely disruptive or damaging to mobile phone networks in New York. This is a densely populated area with thousands of cell sites.”