A friend just pointed me to this fascinating article about an attack on the Greek Vodafone network. The article discusses an attack that installed a rootkit on an Ericsson cellular phone switch which was used to divert calls of high-ranking Greek officials to unknown numbers.
There are a number of interesting lessons in this article, notably in the area of how not to handle forensic investigations. The phone company, as we all know (or should know) is in the business of billing, not in providing any kind of services, and certainly not in forensic investigations. Therefore, they wiped logs to make room for billing info and would not take the systems offline for analysis. The result was that crucial forensic evidence was lost. Furthermore, amateurs were put in charge of gathering evidence, taking actions which tipped off the criminals and enabled them to run and hide.
One must also not forget that this was an attack against a highly complicated, very obscure type of system, but with huge value targets. Often these types of systems have less security built-in than the average desktop operating system, and rely instead on obscurity for security. Irrespective of that, however, the value of the targets means it is still at significant risk. This highlights the shift toward a much more sophisticated type of attacker. This type of attack is highly unlikely to be perpetrated by some asocial teenager sitting in his basement. It's a new world, and a new adversary.